Skip to main content

Vulnerability Disclosure Policy

Security is not a checkbox for us. It is a continuous effort. We know that no software is perfect. If you discover a security vulnerability in our services, we want to know.

This Policy describes how you can report security issues to us, what you can expect from us, and what rules apply.

Scope

This Policy applies to all publicly accessible services of Zation AG:

  • zation.io
  • platform.zation.io
  • docs.zation.io
  • all subdomains of zation.io

Third-party services we use (for example Microsoft, Anthropic) are out of scope. Please report security issues with these providers directly to their respective programmes.

How to report

Send your report to info@zation.io.

Please include:

  • Which service or URL is affected
  • A description of the vulnerability
  • Steps to reproduce, where possible
  • An assessment of the risk
  • Your contact details for follow-up questions

If you wish to transmit sensitive details encrypted, ask us for our PGP key.

What you can expect from us

  • An acknowledgement of receipt within 3 working days
  • An initial assessment within 10 working days
  • Regular updates on the progress of remediation
  • Notification once the vulnerability has been fixed
  • Recognition in our Security & Trust statement, if you wish

We take every report seriously. Even if a report turns out not to apply, we respond to you.

Safe Harbor

Security researchers who act in good faith and follow this Policy do not need to fear legal action from us. Concretely, this means:

  • We will not pursue civil or criminal action against your activities, as long as you follow the rules of this Policy
  • We consider your approach authorised within the meaning of applicable computer misuse laws
  • We work with you to understand and remediate the vulnerability

What you may do

  • Identify vulnerabilities and report them to us
  • Perform necessary tests to confirm a vulnerability
  • Collect evidence that is relevant to the report

What you may not do

  • Do not view, download, or modify data of customers or third parties. As soon as you see that a test leads you to such data, stop and report the vulnerability to us.
  • No denial-of-service attacks (DoS, DDoS)
  • No destructive testing (data deletion, data modification in production systems)
  • No social engineering attacks against employees, customers, or partners
  • No physical attacks against infrastructure or sites
  • No automated scans that generate load
  • Do not disclose vulnerabilities publicly before we have had the opportunity to fix them

Confidential handling

We treat your report and your identity confidentially. We do not share your information with third parties without your consent, unless we are legally required to do so.

Disclosure

Once a vulnerability has been fixed, you may disclose it after coordination with us. We ask for coordinated disclosure, so that our customers have time to implement any necessary actions. The usual period is 90 days after remediation.

Contact

Changes to this Policy

We update this Policy as needed. The current version is always available at this URL.

Last updated: June 27, 2026