Responsible Disclosure Policy

ZeroTrace welcomes responsible security research that helps keep users safe. This policy explains how to report vulnerabilities in ZeroTrace websites, services, and products.

Do not publicly disclose security issues until we confirm a fix or mitigation plan.

• zerotrace.pw website and subdomains
• authentication, dashboards, APIs, and backend services
• official ZeroTrace software/firmware releases and update mechanisms
• misconfigurations that expose data or bypass access controls

• Denial-of-service (DoS/DDoS) testing or traffic flooding
• Social engineering, phishing, or physical attacks
• Accessing, modifying, or deleting data you do not own or have explicit authorization to access
• Malware deployment, persistence, or exploitation against real users
• Extortion, ransom demands, or “pay or I disclose” behavior

If you follow this policy, act in good faith, and avoid privacy violations or service disruption, we will not pursue legal action solely for your research. This does not cover intentional harm, unauthorized data access, or laws that apply in your jurisdiction.

Send your report to:

admin@zerotrace.pw

Include:

• affected system/URL/product + version
• clear reproduction steps (proof-of-concept is fine)
• impact description (what an attacker could do)
• screenshots/logs where helpful
• your contact info for follow-ups

• Acknowledgment: typically within 3–7 business days
• Triage: severity assessment and assignment
• Fix: timeline depends on severity and complexity
• Disclosure: coordinated disclosure after a fix or mitigation

Timelines may vary during holidays, high-volume periods, or complex investigations.

If you want, we may credit you in release notes or a security acknowledgments page after the issue is resolved—subject to your consent and the sensitivity of the report.

This policy is meant to protect users and researchers. Please keep reports confidential until resolution and avoid collecting any real user data.