NetzSec Logo
All policies
LegalUpdated June 7, 2026

Responsible Disclosure Policy

How security researchers can report vulnerabilities in NetzSec systems, scope, safe harbour, and our commitment to coordinated resolution.

This policy is issued by NetzSec and applies across everything we operate, including the ZeroTraceproduct line (zerotrace.one and its subdomains). Where it says “NetzSec” or “we,” that covers ZeroTrace too.

1. Overview

NetzSec welcomes responsible security research that helps keep users safe. This policy explains how to report vulnerabilities in NetzSec websites, services, and products, including the ZeroTrace product line.

Do not publicly disclose security issues until we confirm a fix or mitigation plan.

2. In Scope

  • netzsec.com and zerotrace.one websites, and zerotrace.pw subdomains (secure, dashboard, docs, status)
  • authentication, dashboards, APIs, and backend services
  • official ZeroTrace software/firmware releases and update mechanisms
  • misconfigurations that expose data or bypass access controls

3. Out of Scope / Not Allowed

  • Denial-of-service (DoS/DDoS) testing or traffic flooding
  • Social engineering, phishing, or physical attacks
  • Accessing, modifying, or deleting data you do not own or have explicit authorisation to access
  • Malware deployment, persistence, or exploitation against real users
  • Extortion, ransom demands, or "pay or I disclose" behaviour

4. Safe Harbour (Good-Faith Research)

If you follow this policy, act in good faith, and avoid privacy violations or service disruption, we will not pursue legal action solely for your research. This does not cover intentional harm, unauthorised data access, or laws that apply in your jurisdiction.

5. How to Report a Vulnerability

Send your report to contact@netzsec.com.

Include:

  • affected system/URL/product + version
  • clear reproduction steps (proof-of-concept is fine)
  • impact description (what an attacker could do)
  • screenshots/logs where helpful
  • your contact info for follow-ups

6. Response & Resolution Timeline

  • Acknowledgement: typically within 3–7 business days
  • Triage: severity assessment and assignment
  • Fix: timeline depends on severity and complexity
  • Disclosure: coordinated disclosure after a fix or mitigation

7. Credit & Recognition

If you want, we may credit you in release notes or on a security acknowledgements page after the issue is resolved, subject to your consent and the sensitivity of the report.

8. Final Notes

This policy is meant to protect users and researchers. Please keep reports confidential until resolution and avoid collecting any real user data.