Principles

• Good Faith We will not pursue legal action for good‑faith research within this policy.
• Confidentiality Do not publicly disclose a vulnerability until we have remediated or agreed to coordinated disclosure.
• Respect Avoid privacy violations, data destruction, or service disruption.

In Scope

• Public website properties under the zuvohq.com domain
• Public API endpoints documented or discoverable
• Authentication & session management flows

Out of Scope

• Physical attacks, social engineering, spam campaigns
• Denial of Service (volumetric) testing
• Automated scans causing performance degradation
• Third-party services (report directly to provider)

How to Report

Send an email to support@zuvohq.com with the following:

• Vulnerability summary & potential impact
• Detailed reproduction steps (URLs, payloads, accounts)
• Proof-of-concept (screenshots, scripts) if safe
• Your contact for follow-up & disclosure preference

Research Guidelines

• Avoid accessing more data than necessary to demonstrate the issue.
• Use test accounts where possible.
• Do not run automated scanners aggressively.
• No ransom, extortion, or threats.
• Cease testing immediately upon finding customer data exposure and report.

Safe Harbor

If you comply with this policy when reporting a security issue, we will consider your research authorized and will not initiate legal action. This does not extend to actions that are clearly malicious, cause harm, or involve exfiltrating personal data.

Updates

We may revise this policy. Material changes will be signaled on this page with an updated date. Continued testing after changes constitutes acceptance.

This policy does not guarantee monetary rewards or bug bounties at this time.