Vulnerability Disclosure Policy

Zygon Vulnerability Disclosure Policy

1. How to Report a Suspected Vulnerability

If you would like to report a vulnerability or have a security concern regarding Zygon products and services, please email We will respond to you and acknowledge receipt of your report.

Once your report has been submitted, we will work to validate the reported vulnerability and will reach out to you if additional information is required.

2. What we would like to see from you

To help us triage and remediate potential findings, the vulnerability report should:

  • Describe the vulnerability, precisely where it was discovered, and the real-world impact.
  • Reports from automated scanning tools are not accepted.
  • Offer a detailed description of the steps needed to reproduce the vulnerability (POCs, screenshots, and videos are helpful).
  • Please include one vulnerability per report (unless in an attack chain).
  • Don’t report automated scanner results without proof of exploitability.
  • Are considered out of scope and will be ignored by our teams: minor vulnerabilities on the marketing website (, DNS configuration items.

3. The Zygon team's commitment

We ask that you do not share or publicize an unresolved vulnerability with/to third parties. If you responsibly submit a vulnerability report, the Zygon team and associated development organizations will use reasonable efforts to:

  • Respond in a timely manner, acknowledging receipt of your vulnerability report.
  • Provide an estimated time frame for addressing the vulnerability report.
  • Notify you when the vulnerability has been fixed.

We are happy to thank every individual researcher who submits a vulnerability report helping us improve our overall security posture at Zygon.

4. Safe Harbor

Any activities conducted in a manner consistent with this policy will be considered authorized conduct, and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.