zf.com

Cybersecurity Responsible Disclosure Policy

At ZF, we prioritize the security of our customers, products, and staff. We value your assistance in identifying any vulnerabilities in our website, products (both software and hardware), services, or web applications.

This Responsible Disclosure Policy helps us ensure that vulnerabilities are reported and addressed, both promptly and responsibly.

Upon receiving reports of vulnerabilities in accordance with this policy, we commit to taking immediate action. This includes engaging relevant personnel within our organization and collaborating with security researchers to resolve the issue expediently. We aim to address all reported vulnerabilities in line with our security and privacy commitments.

We assure you that we will not pursue legal action against individuals who responsibly disclose security vulnerabilities under this policy. However, it is essential to note that ZF retains all legal rights in cases of non-compliance.

Response and Recognition

While we appreciate and acknowledge your disclosure efforts, we do not provide financial compensation for reported vulnerabilities. Requests for compensation or participation in bug bounty programs are not considered compliant with this Responsible Disclosure Policy.

Guidelines for Responsible Reporting

To ensure responsible disclosure, we request that individuals adhere to the following guidelines when reporting vulnerabilities:

  • Refrain from disclosing the bug or vulnerability on public platforms before informing ZF and allow reasonable time for resolution.
  • Avoid exploiting vulnerabilities to access unauthorized data or compromise confidentiality and availability.
  • Do not engage in activities that may impact the reliability or availability of our services, such as DDoS or spam attacks.
  • Avoid using scanners or automated tools to discover vulnerabilities, as they may have unintended consequences.
  • Refrain from non-technical attacks, including social engineering, phishing, or physical attacks against our employees or infrastructure.
  • Do not seek compensation for vulnerabilities, either directly or indirectly.

What to include in the report?

When reporting vulnerabilities, please provide the following details:

  • Description of the suspected vulnerability
  • Steps to reproduce the issue
  • Your email address and a secure method of contact
  • Your name or colleague's name for recognition, if desired

How to Report an Issue

If you believe you have discovered a vulnerability in one of our products or applications, please complete the form below. We request that suspected vulnerabilities are not publicly disclosed without prior consent from ZF.