Skip to content
ZYNOSEC
INITIALIZING SECURE SESSION 00%
Get Assessment
▸ Security

Responsible Disclosure

We take security seriously. If you have found a genuine vulnerability, we want to hear from you.

Reporting a Vulnerability

If you have discovered a security vulnerability in any ZynoSec-owned asset, please report it to info@zynosec.com with the subject line "Security Report".

Qualifying Vulnerabilities

We are interested in reports that demonstrate real security impact. This includes:

  • Remote code execution
  • SQL injection, XSS (stored), SSRF with demonstrated impact
  • Authentication or authorization bypass
  • Sensitive data exposure
  • Privilege escalation
  • Any vulnerability with a clear, exploitable attack scenario

What to Include

Reports must include:

  • Clear description of the vulnerability and its actual security impact
  • Detailed steps to reproduce
  • Working proof-of-concept (code, screenshots, or video)
  • Affected URL/endpoint
  • Your contact information for follow-up

Reports without a working PoC or without demonstrated impact will not be reviewed.

Not Accepted (Out of Scope)

The following are not considered valid vulnerabilities and will be ignored:

  • Missing HTTP security headers (CSP, HSTS, X-Frame, etc.) without demonstrated exploit
  • SPF/DKIM/DMARC configuration suggestions
  • SSL/TLS version or cipher suite complaints
  • Clickjacking without sensitive action impact
  • Self-XSS or login/logout CSRF
  • Rate limiting issues without demonstrated abuse
  • Content spoofing or text injection without security impact
  • Missing cookie flags on non-sensitive cookies
  • Information disclosure with no exploitable impact (server version, error messages)
  • Automated scanner output without manual verification
  • Denial-of-service attacks
  • Social engineering of ZynoSec employees
  • Physical security testing
  • Issues in third-party services or dependencies
  • Theoretical vulnerabilities without a working PoC

Our Commitment

  • We will acknowledge valid reports within 48 hours
  • We will provide an assessment within 5 business days
  • We will credit you publicly (if desired) once the issue is resolved
  • We will not pursue legal action against researchers acting in good faith

Scope

This policy covers zynosec.com and any subdomains. It does not cover client assets, systems tested during engagements, or third-party services we use.

Contact

Email: info@zynosec.com

For encrypted communications, request our PGP public key via email.