ZeroAuth
HomeSecurityPrivacyTermsSign in
Back to Security Center
Security Trust Center

Disclosure Policy

Last Updated: May 2026

We value the work of independent security researchers. If you discover a vulnerability in ZeroAuth, we ask that you disclose it to us responsibly so we can quickly address it before the details are made public.

01. Reporting Flow

Contact Point

Security Office

All reports are processed by our core security engineering team. Please use our direct address for encrypted or standard disclosure exchanges.

Direct Contact Address

security@zeroauth.in

Required Report Metadata

To ensure swift processing, please structure your report with the following details:

  • [1]Reproducible Steps: Clear, step-by-step instructions or proof-of-concept scripts.
  • [2]Environment Details: Client version, target Operating System (iOS/Android), and device model.
  • [3]Impact Assessment: Technical classification of the vulnerability and its potential risk vector.

02. Triage & Response

Service Level Agreement

Response Targets

Our triage pipelines prioritize issues based on raw cryptographic impact and user-safety parameters.

Step 01

Acknowledgement

Under 48 Hours

Immediate confirmation of receipt and assignment to a security engineer.

Step 02

Triage & Plan

5 Business Days

Technical assessment of report validity, impact mapping, and remediation planning.

Step 03

Remediation

Priority Gated

High-severity cryptographic or isolation bypasses are immediately prioritized for hotfixing.

03. Safe Harbor

Legal Boundary

Authorized Conduct

We consider activities conducted consistent with this policy to constitute authorized conduct. We will not pursue civil action or initiate law enforcement complaints for good-faith testing.

Qualification Criteria

User Protection

Never attempt to access, modify, or destroy data belonging to other users. Only test against accounts you own or have explicit permission to test.

Availability Limits

Avoid impacting the availability of our services. No Denial of Service (DoS/DDoS) testing against our coordinator or update infrastructure.

Coordinated Release

Give us a reasonable amount of time to remediate the vulnerability before disclosing details publicly to prevent exposing active users to risk.

Target Scope

Only execute tests on application boundaries directly related to the ZeroAuth application and its underlying cryptographic logic.

04. Program Exclusions

Out of Scope

Excluded Vectors

The following vulnerabilities are generally excluded from our disclosure program unless they demonstrate a chained attack vector leading directly to local vault compromise.

Social Manipulation

Social engineering, phishing, or user manipulation directed at ZeroAuth staff, core developers, or users.

Physical Device Access

Attacks requiring physical possession of an unlocked, unencrypted device or physical tampering of hardware components.

Rooted Host Context

Attacks predicated on deeply compromised, jailbroken, or rooted host operating systems where standard OS sandboxing boundaries are broken.

Marketing Infrastructure

Missing HTTP security headers, SPF/DKIM configurations, or DNS policies on non-authenticated public marketing pages.