Reporting Security Vulnerabilities

If you discover a security vulnerability in Zig Zeig, please report it to us responsibly:

Response Time: We aim to acknowledge security reports within 48 hours.

What to Include in Your Report

• Description of the vulnerability
• Steps to reproduce the issue
• Potential impact and severity assessment
• Any proof-of-concept code (if applicable)
• Your contact information for follow-up

Scope

In Scope

• Authentication and authorization bypasses
• Data exposure or leakage (PII, brand data, campaigns)
• SQL injection, XSS, CSRF, and other injection attacks
• API security issues and broken access controls
• Infrastructure vulnerabilities (if you identify them)
• Insecure direct object references (IDOR)
• Server-side request forgery (SSRF)

Out of Scope

• Social engineering attacks against our team or users
• Denial of Service (DoS/DDoS) attacks
• Physical security issues
• Issues requiring unlikely user interaction
• Spam or content quality issues
• Vulnerabilities in third-party services we don't control

Safe Harbor Policy

We consider security research conducted in good faith as authorized testing. We will not pursue legal action against researchers who:

• Report vulnerabilities privately and responsibly
• Avoid data destruction, privacy violations, or service disruption
• Do not exploit findings beyond what's necessary to demonstrate the issue
• Make a good faith effort to comply with this policy

Recognition

We appreciate security researchers who help keep Zig Zeig secure. With your permission, we will:

• Publicly acknowledge your contribution (unless you prefer anonymity)
• Provide updates on remediation progress
• Work with you to understand and fix the vulnerability

Our Security Measures

We implement multiple layers of security to protect your data:

Data Encryption

• In Transit: TLS 1.3 encryption for all data transmission
• At Rest: AES-256 encryption for stored data
• Passwords: bcrypt hashing with salt

Authentication & Access Control

• Secure authentication via Supabase Auth
• Row-level security (RLS) policies on all database tables
• Role-based access control (RBAC)
• Session management with secure tokens

Infrastructure Security

• Hosting on secure, GDPR-compliant infrastructure
• Regular security updates and patches
• Firewall and network segmentation
• DDoS protection

Application Security

• Input validation and sanitization
• Protection against XSS, CSRF, and injection attacks
• Secure API design with rate limiting
• Regular security audits and code reviews

Data Protection

• Data Location: EU-based infrastructure (GDPR compliant)
• Backups: Regular encrypted backups with secure retention
• Access Logs: Comprehensive logging and monitoring
• Data Processors: Vetted third-party services with DPAs

Third-Party Services

We rely on trusted, security-focused service providers:

• Supabase: Database, auth, and storage (EU infrastructure)
• Google AI: Direct integration with Gemini API for AI processing

All third-party processors are GDPR-compliant and operate under data processing agreements.

Incident Response

In the event of a security incident, we will:

1. Immediately investigate and contain the incident
2. Assess the impact and affected users
3. Notify affected users within 72 hours (GDPR requirement)
4. Work to remediate the vulnerability
5. Conduct a post-incident review to prevent recurrence

Compliance & Certifications

• GDPR: Full compliance with EU data protection regulations
• SOC 2: In progress (planned for 2026)
• ISO 27001: Future certification goal

User Security Best Practices

Help us keep your account secure:

• Use a strong, unique password
• Enable two-factor authentication (when available)
• Don't share your credentials
• Review your account activity regularly
• Report suspicious activity immediately
• Keep your email address secure (used for password resets)

Related Policies

• Privacy Policy
• Terms of Service
• Impressum