Security Policy
1. Vulnerability Disclosure
We take the security of ZeFile seriously. If you discover a vulnerability, we want to hear about it so we can fix it quickly and keep our users safe. This policy describes how to report security issues and what to expect from us.
2. Scope
ZeFile is built with security at its core. Here's what we protect: - File encryption: All files are encrypted during transfer and at rest, ensuring your data stays private from upload to download. - CDN-powered delivery: Files are served through our content delivery network, adding an extra layer of protection between storage and end users. - Password-protected transfers: Senders can lock their transfers with a password, so only intended recipients can access the files. - Early threat detection: We actively monitor for suspicious activity and unusual access patterns to catch potential issues before they become problems. - Breach prevention: Our infrastructure is designed to limit exposure, with strict access controls and isolated services to reduce the impact of any single point of failure.
3. Out of Scope
The following are out of scope: - Third-party services operated by our partners - Social engineering attacks against ZeFile employees or users - Denial of service (DoS/DDoS) attacks - Physical attacks against ZeFile infrastructure - Automated scanning that generates excessive traffic
4. Rules of Engagement
When researching, please follow these guidelines: - Do not access, modify, or delete other users' data - Do not perform destructive testing on production systems - Do not exploit vulnerabilities beyond a minimal proof of concept - Report findings promptly and do not disclose them publicly before we've had a chance to fix them - Use test accounts you create yourself for testing
5. How to Report
Send your findings to [email protected]. Please include: - A clear description of the vulnerability - Step-by-step instructions to reproduce the issue - The potential impact of the vulnerability - Any screenshots or proof-of-concept code You may encrypt your report using our PGP key (available on request).
6. Response Timeline
Here's what to expect after you submit a report: - Acknowledgment: within 48 hours - Initial assessment: within 5 business days - Resolution target: within 30 days (depending on severity) We'll keep you updated on our progress and let you know when the issue has been resolved.
7. Safe Harbor
We will not take legal action against security researchers who: - Act in good faith and follow this policy - Avoid privacy violations, data destruction, and service disruption - Report vulnerabilities to us before disclosing them publicly We consider security research conducted in accordance with this policy to be authorized and will not pursue legal action for it.
8. Questions
If you have questions about this policy or need to report a security issue, reach out to [email protected].