Responsible disclosure
Found a vulnerability? Tell us directly.
Zenreps operates conversation infrastructure for regulated medicine, and we treat security reports with the seriousness that implies. If you have found a vulnerability in our website or product surfaces, we want to hear from you first — this page tells you how.
Last revised July 2026
01Responsible disclosure
Scope
In scope: zenreps.com and the product surfaces Zenreps operates — the web application, its APIs, and the conversation channels we run.
Out of scope
- Third-party services we link to or build on — report those to the third party.
- Findings that require physical access, stolen credentials, or social engineering of our team or our users.
- Denial-of-service, spam, or resource-exhaustion testing. Do not degrade the service to prove a point.
- Automated scanner output with no demonstrated impact.
02Responsible disclosure
How to report
Email the details to security@zenreps.com. Plain email is fine — the more you can tell us, the faster we can act:
- What you found, and where — the URLs, endpoints, or surfaces involved.
- Steps to reproduce it, as specifically as you can.
- Impact as you assess it — what could someone actually do with this?
- How to reach you for follow-up, and the name or handle to credit if you want one.
03Responsible disclosure
What to expect from us
- An acknowledgment
- We confirm receipt and tell you your report is being looked at — by the people who build the product, not a triage vendor.
- A good-faith investigation
- We investigate what you send, keep you informed of material progress, and tell you when the issue is resolved.
- Straight answers
- If we conclude something is not a vulnerability, we say so and explain why — you get a reason, not silence.
04Responsible disclosure
Good-faith research
05Responsible disclosure
On bounties
Zenreps does not run a paid bug-bounty program. What we offer instead: a direct line to the people who build the product, a serious investigation, and credit if you want it.