ZZEPHRYX//

POLICY ACTIVE

RESPONSIBLE DISCLOSURE / GOOD-FAITH RESEARCH

Found a flaw?
Report it safely.

I want valid issues fixed, and I will not punish careful researchers acting in good faith. Read the scope before touching anything.

REPORT A VULNERABILITY
POLICY STATUSLIVE
AUTHORIZED HOSTS
02
RESPONSE GOAL
≤ 7 DAYS
REWARD PROGRAM
NONE
POLICY VERSION
1.0
THE SHORT VERSIONMinimize harm. Prove only what is necessary. Stop if real data appears. Report privately.DO NO HARM

01 // SCOPE

Know the boundary.

EXACT HOSTS ONLY 02
IN SCOPE / 01

zephryx.in

The apex website and the content or endpoints served directly from this host.

https://zephryx.in
IN SCOPE / 02

www.zephryx.in

The public alias and redirect behavior for the main website.

https://www.zephryx.in
OUT OF SCOPE

Everything else.

Other subdomains, social accounts, email providers, hosting infrastructure, and third-party services are not authorized unless listed here later.

NO IMPLIED SCOPE

02 // RULES OF ENGAGEMENT

Keep the test controlled.

SAFETY FIRST
/ DO

Use the smallest proof.

  • Test only the two in-scope hosts.
  • Use accounts and data you own.
  • Keep request volume low and manual.
  • Report the issue as soon as it is confirmed.
/ STOP

Stop when data appears.

  • Do not explore unrelated records.
  • Do not download a dataset as proof.
  • Capture only the minimum evidence.
  • Report accidental exposure immediately.
/ NEVER

Do not cross these lines.

  • Denial of service, traffic flooding, or resource exhaustion
  • Social engineering, phishing, spam, or physical attacks
  • Credential stuffing, password spraying, or stolen credentials
  • Persistence, malware, destructive changes, or data modification
  • High-volume automated scanning or tests that affect other visitors
  • Accessing, copying, or exposing data beyond the minimum proof

03 // SAFE HARBOR

Good faith is welcome here.

Research performed in good faith, within this policy, is considered authorized by me to the extent I can grant that authorization. I will not initiate or support legal action for accidental, good-faith violations of this policy.

If you are unsure whether a test is allowed, ask before continuing. This safe harbor does not authorize unlawful activity, apply to third-party systems, or waive anyone else’s rights.

If a test could harm a person, their data, or service availability: do not run it.

04 // REPORTING

Send useful evidence.

PRIVATE CHANNEL

Email the report with a clear subject. Include the affected URL, impact, exact reproduction steps, and the smallest proof that confirms the issue.

Do not send passwords, API keys, session tokens, or private third-party data. If sensitive data appeared accidentally, describe it without pasting the value.

REPORT_TEMPLATE.TXT
Affected URL:

Summary:

Security impact:

Steps to reproduce:
1.
2.
3.

Minimal proof of concept:

Browser / environment:

Suggested fix (optional):

Credit preference: named / anonymous

05 // WHAT HAPPENS NEXT

A simple response loop.

NO FIXED SLA
  1. 01
    REPORT

    You send the details privately.

  2. 02
    ACKNOWLEDGE

    I aim to reply within 7 calendar days.

  3. 03
    VALIDATE

    I reproduce the issue and assess impact.

  4. 04
    REMEDIATE

    The fix time depends on complexity.

  5. 05
    COORDINATE

    We agree before anything is published.

06 // REWARDS & CREDIT

No bounty program—yet.

There is currently no paid bug bounty, swag, or guaranteed reward. Please do not test expecting payment.

Useful, responsible reports may be credited publicly—with your permission only. Anonymous reporting is respected.

GENERAL CONTACT