Scope

This policy applies to zerodayresearch.dev and any subdomains owned and operated by ZER0DAY R&D.

Out of scope

• Third-party infrastructure (GitHub Pages, DNS providers, CDN)
• Social engineering of ZDR personnel or clients
• Physical security of any associated premises
• Denial of service testing
• Automated scanning that generates excessive traffic

Safe harbor

Research conducted in good faith and within this policy will not be met with legal action. Researchers are expected to avoid accessing, modifying, or exfiltrating data belonging to third parties.

Disclosure

Submit findings to security@zerodayresearch.dev. Include reproduction steps, observed behavior, and expected behavior. Response ceiling is 48 hours.

Acknowledgment

Researchers who follow this policy are credited in the disclosure notes unless they request anonymity.