Zeplin takes security very seriously. We take quality assurance steps to ensure our products are of high quality and secure. However, like all software products, it is possible that a security vulnerability may be present in one of our products.
If you believe you've discovered a security issue or vulnerability in Zeplin, please let us know confidentially by emailing us at firstname.lastname@example.org. We appreciate responsible disclosure and will acknowledge security researchers who have reported an issue that is proven and of sufficient severity.
- Only consider the domain *.zeplin.io
- Do not access, destroy or negatively impact Zeplin's or its customers’ data in any way
- Do not use automated scanners - the use of automated scanners may result in investigative action and your IP being blocked
- You make a good faith effort to avoid privacy violations and interruption or degradation of Zeplin's services during your research - no Denial of Service!
- Do not conduct any type of physical or electronic attack against Zeplin’s personnel, offices or data centers, or any social engineering or phishing of Zeplin employees or contractors
- Do not violate any laws or breach any prior agreements
Please do not report issues similar to:
- Displayed server software banners or other version information
- Descriptive error messages
- Missing HTTP security headers. (e.g. X-Frame-Options)
- Missing or incorrect SPF, DKIM or DMARC records
- CSRF on forms that are available to anonymous users
- Username / email enumeration
- Disclosure of known public files. (e.g. robots.txt)
Zeplin will not initiate legal actions against researchers, as long as they adhere to these parameters.
To protect our customers, we ask that you do not post or share any information about a potential vulnerability in any public setting until we have researched, responded to, and addressed the reported vulnerability and informed customers if needed.
Thank you for helping to keep Zeplin and our users safe!