Security Policy
Last updated: January 1, 2025
Zoxrim is a cybersecurity company. We hold ourselves to a higher standard than most when it comes to the security of our own platform. This page describes how we protect the Service and how you can responsibly report security vulnerabilities you discover.
Our Security Practices
We implement the following controls to protect the platform and your data:
- Encryption at rest: All persistent data — including database records, backups, and file storage — is encrypted using AES-256. Encryption keys are managed through AWS Key Management Service (KMS) with automatic rotation.
- Encryption in transit: All communication between clients and our servers, and between our internal services, is protected using TLS 1.3. We do not support TLS 1.1 or below.
- Access control: Production systems are accessible only to authorized personnel via MFA-protected SSH with short-lived certificate credentials. All administrative actions are logged and retained for 90 days.
- Penetration testing: We engage independent security firms to conduct full application and infrastructure penetration tests on a quarterly basis. Critical and high-severity findings are remediated within 30 days.
- Bug bounty program: We operate an open bug bounty program (currently honorific — see below) to engage the security community in identifying vulnerabilities in our platform.
- Dependency scanning: Our CI/CD pipeline automatically scans all code dependencies for known CVEs using automated tooling. Critical dependency vulnerabilities trigger immediate patch workflows.
- Secrets management: No credentials, API keys, or secrets are stored in source code or environment files. All secrets are stored in AWS Secrets Manager and injected at runtime.
Responsible Disclosure
We welcome security researchers who identify vulnerabilities in our platform and report them to us in good faith. Please follow these guidelines when reporting:
How to report: Send your findings to [email protected]. For sensitive reports, request our PGP key in the same email and we will provide it for encrypted communication.
What to include in your report:
- A clear description of the vulnerability and the affected component or endpoint.
- Step-by-step reproduction instructions, including any tools or payloads used.
- Assessment of potential impact (data exposure, account takeover, privilege escalation, etc.).
- Optional: Proof-of-concept code or screenshots (please do not extract or exfiltrate real user data).
- Your preferred contact information for follow-up.
Please do not publicly disclose the vulnerability until we have had the opportunity to investigate and remediate it. We ask for a standard 90-day coordinated disclosure window for critical findings.
Our Commitment to Researchers
When you report a vulnerability to us in good faith and follow this policy, we commit to:
- Triage within 48 hours: We will acknowledge your report and provide an initial severity assessment within 48 business hours.
- Fix within 30 days for critical issues: Critical and high-severity vulnerabilities will be patched and deployed within 30 days of confirmation. We will keep you informed of our progress.
- Credit in our security changelog: With your permission, we will acknowledge your contribution by name or handle in our public security changelog when the fix is released.
- No legal action against good-faith researchers: We will not pursue civil or criminal action against researchers who discover and report vulnerabilities in compliance with this policy and our Acceptable Use Policy. We consider good-faith security research to be authorized and beneficial.
Out of Scope
The following are explicitly out of scope for our bug bounty program and will not be eligible for recognition. Performing these activities may also violate our Acceptable Use Policy:
- Denial of Service (DoS) or Distributed DoS (DDoS) attacks against our infrastructure or services.
- Social engineering attacks targeting Zoxrim employees, contractors, or support staff.
- Physical access attacks targeting our office locations or data centers.
- Vulnerabilities in third-party services we use (report those to the respective vendors).
- Automated scan results without manual verification or proof of exploitability.
- Findings related to missing security headers or best-practice configurations that have no demonstrated exploitable impact.
- Self-XSS or attacks that require the victim to take highly unlikely actions.
Bug Bounty Program
Our bug bounty program is currently honorific. While we are not yet offering monetary rewards, we deeply value the contribution of security researchers and recognize all valid findings with:
- Hall of Fame listing: Your name or handle will be featured on the Zoxrim Security Hall of Fame page (with your consent).
- Letter of recognition: For significant findings, we will provide a signed letter of recognition from our security team that you can include in your security portfolio or resume.
- Priority access: Recognized researchers may receive early access to new Zoxrim features and direct communication with our security team.
We are actively planning a monetized bug bounty program for the future. Researchers who contribute before the monetized program launches will be considered for retroactive rewards at our discretion.
PGP Key
For sensitive security reports that you wish to encrypt before sending, a PGP key is available on request. Email [email protected] to request our current public PGP key. We will respond with the key fingerprint and download link within one business day.
Please verify the key fingerprint through a secondary channel (e.g., our official social media or by phone) before sending sensitive information.
Contact
- Security reports: [email protected]
- Abuse reports: [email protected]
- PGP key: available on request at the security email above