Skip to content
Responsible disclosure

Found a vulnerability? Tell us directly.

Zenreps operates conversation infrastructure for regulated medicine, and we treat security reports with the seriousness that implies. If you have found a vulnerability in our website or product surfaces, we want to hear from you first — this page tells you how.

Last revised July 2026

01Responsible disclosure

Scope

In scope: zenreps.com and the product surfaces Zenreps operates — the web application, its APIs, and the conversation channels we run.

Out of scope

  • Third-party services we link to or build on — report those to the third party.
  • Findings that require physical access, stolen credentials, or social engineering of our team or our users.
  • Denial-of-service, spam, or resource-exhaustion testing. Do not degrade the service to prove a point.
  • Automated scanner output with no demonstrated impact.
02Responsible disclosure

How to report

Email the details to security@zenreps.com. Plain email is fine — the more you can tell us, the faster we can act:

security@zenreps.com

  1. What you found, and where — the URLs, endpoints, or surfaces involved.
  2. Steps to reproduce it, as specifically as you can.
  3. Impact as you assess it — what could someone actually do with this?
  4. How to reach you for follow-up, and the name or handle to credit if you want one.
03Responsible disclosure

What to expect from us

An acknowledgment
We confirm receipt and tell you your report is being looked at — by the people who build the product, not a triage vendor.
A good-faith investigation
We investigate what you send, keep you informed of material progress, and tell you when the issue is resolved.
Straight answers
If we conclude something is not a vulnerability, we say so and explain why — you get a reason, not silence.
04Responsible disclosure

Good-faith research

05Responsible disclosure

On bounties

Zenreps does not run a paid bug-bounty program. What we offer instead: a direct line to the people who build the product, a serious investigation, and credit if you want it.