Legal - Security & Responsible Disclosure

Zaibex builds and operates software for clients in regulated industries, and we hold our own website to the same standard. We welcome reports from security researchers and will work with you in good faith to verify, triage, and fix valid issues.

If you believe you have found a security vulnerability in zaibex.com, email privacy@zaibex.com with:

• A clear description of the issue and its potential impact.
• The steps, URLs, or proof-of-concept needed to reproduce it.
• Any relevant context — browser, tooling, and the IP address you tested from.

Please report promptly and give us a reasonable opportunity to resolve the issue before disclosing it publicly. A machine-readable version of this contact is published at /.well-known/security.txt.

In scope: the website at zaibex.com and its subdomains, and the public form endpoints (project enquiries, careers applications, and newsletter signup).

Out of scope:

• Third-party services we use but do not operate — for example, our hosting, email, and scheduling providers. Report those to the provider directly.
• Systems we build and host for clients under separate agreements.
• Findings from automated scanners without a demonstrated, realistic impact.
• Missing best-practice headers or configuration with no concrete, demonstrable exploit.
• Spam, social engineering, and physical attacks.

If you make a good-faith effort to comply with this policy during your research, we will consider your research authorized, we will work with you to understand and resolve the issue quickly, and we will not pursue or support legal action against you for it.

If legal action is initiated by a third party against you for activity that complied with this policy, we will make this authorization known.

To stay within the safe harbor above, please:

• Only test against accounts and data you own or have explicit permission to use.
• Do not access, modify, or delete data that is not yours.
• Stop at the point of demonstrating a vulnerability — do not pivot, exfiltrate data, or escalate further.
• Do not run denial-of-service, brute-force, spam, or load-testing attacks.
• Do not use social engineering, phishing, or physical intrusion against Zaibex, our clients, or our staff.
• Keep the details of any vulnerability confidential until we confirm it is resolved.

When you submit a report, we will:

• Acknowledge your report within five business days.
• Give you an assessment and an expected timeline once we have triaged it.
• Keep you updated as we work toward a fix.
• Let you know when the issue is resolved.

We do not currently run a paid bug-bounty program. With your permission, we are glad to credit you publicly once an issue is fixed.

Security contact: privacy@zaibex.com

Machine-readable policy: /.well-known/security.txt