Vulnerability Disclosure Policy

Last updated: April 21, 2026

Quick start: Email the maintainers via the contact listed in /.well-known/security.txt with a clear description, reproduction steps, and impact assessment. We will acknowledge within 3 business days.

Our Commitment

We take the security of our users seriously. If you have discovered a vulnerability in 3Z0, we appreciate your help in disclosing it to us responsibly. We commit to:

Respond to your report within 3 business days.
Investigate promptly and keep you informed of the progress.
Credit you publicly (if you wish) once a fix has been deployed.
Not pursue legal action against researchers acting in good faith under this policy.

Scope

The following are considered in scope:

The production 3Z0 website and its subdomains.
The public API endpoints under /api/*.
The authentication, 2FA, and account-management flows.
File-upload endpoints (profile pictures, featured images).

Out of Scope

Denial-of-service attacks, volumetric stress tests, and any testing that could degrade availability for other users.
Social-engineering attacks against our staff, contributors, or support email.
Physical attacks against infrastructure.
Reports from automated scanners without a proof-of-concept.
Best-practice findings with no demonstrable security impact (e.g., missing X-Powered-By, permissive CORS on public read-only endpoints, lack of SPF/DKIM on non-sending subdomains).
Issues in third-party services we do not control.

How to Report

Use the contact listed in our security.txt — this is the canonical channel and is monitored by the security team.
Include the following in your report:
- A clear description of the issue.
- Precise reproduction steps (including HTTP requests where relevant).
- Your assessment of the impact (e.g., who is affected, what can be done).
- Your preferred name/handle for credit if we publish a writeup.
If the issue is particularly sensitive, say so up front — we can set up an encrypted channel before you share proof-of-concept material.

Please don't: publicly disclose the issue, share it with third parties, access user data beyond what's strictly needed to demonstrate impact, or attempt to pivot from one finding to another. Give us a fair opportunity to fix the issue first.

Safe Harbor

Activities conducted in a manner consistent with this policy will be considered authorized conduct. We will not initiate or support legal action against researchers acting in good faith. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with it.

Disclosure Timeline

Day 0: Report received.
Within 3 business days: Initial acknowledgment.
Within 10 business days: Triage and severity assessment shared.
Remediation: Target 30 days for critical/high, 60 days for medium, and best-effort timelines for low-severity issues.
Public disclosure: After a fix is deployed, we coordinate a mutually-acceptable disclosure date — typically within 90 days of the initial report.

Recognition

We maintain a list of researchers who have helped make 3Z0 safer. If you'd like recognition, let us know in your report and we'll add you after the issue is resolved.

What not to report here: account recovery requests, abuse reports (spam/harassment/etc.), or general support questions. Those go to the contact page.

Thanks for making the web safer.