Zeplin takes security very seriously. We take quality assurance steps to ensure our products are of high quality and secure. However, like all software products, it is possible that a security vulnerability may be present in one of our products.
If you believe you've discovered a security issue or vulnerability in Zeplin or Omlet, please let us know confidentially by emailing us at security@zeplin.io. We appreciate responsible disclosure and will acknowledge security researchers who have reported an issue that is proven and of sufficient severity.
Disclosure Policy
Only consider the domains *.zeplin.io or *.omlet.dev
Do not access, destroy or negatively impact Zeplin's or its customers’ data in any way
Do not use automated scanners - the use of automated scanners may result in investigative action and your IP being blocked
You make a good faith effort to avoid privacy violations and interruption or degradation of Zeplin's services during your research - no Denial of Service!
Do not conduct any type of physical or electronic attack against Zeplin’s personnel, offices or data centers, or any social engineering or phishing of Zeplin employees or contractors
Do not violate any laws or breach any prior agreements
Please do not report issues similar to:
Displayed server software banners or other version information
Descriptive error messages
Missing HTTP security headers. (e.g. X-Frame-Options)
Missing or incorrect SPF, DKIM or DMARC records
CSRF on forms that are available to anonymous users
Username / email enumeration
Disclosure of known public files. (e.g. robots.txt)
Zeplin will not initiate legal actions against researchers, as long as they adhere to these parameters.
To protect our customers, we ask that you do not post or share any information about a potential vulnerability in any public setting until we have researched, responded to, and addressed the reported vulnerability and informed customers if needed.
Thank you for helping to keep Zeplin and our users safe!