01 Purpose and Scope

ZERO|TOLERANCE Security Research ("ZT") is an independent security research firm that conducts proactive, external reconnaissance of internet-facing infrastructure to identify security exposures before they are exploited by malicious actors.

These guidelines define the principles, methodology, and procedures ZT follows when discovering and disclosing security findings to affected organizations. This policy applies to all research conducted by ZT personnel and governs all communications with affected parties from initial discovery through final resolution.

The objective of this policy is to ensure that security findings are communicated responsibly, that affected organizations receive adequate time and support to remediate, and that the interests of end users and third parties are protected throughout the process.

02 Discovery Methodology

All ZT research is conducted through external observation of, and standard interaction with, publicly accessible and unauthenticated systems and information. ZT does not require or use any special access, credentials, or insider knowledge. As a baseline, ZT adheres to the following constraints:

• External observation and standard interaction only. ZT examines publicly exposed interfaces, metadata, configurations, certificates, DNS records, HTTP responses from publicly accessible endpoints, and other externally visible indicators. ZT interacts with systems only through standard, unauthenticated requests equivalent to normal web browsing. ZT does not perform automated scanning, fuzzing, or any activity designed to enumerate or overwhelm target systems.
• No exploitation. ZT does not exploit discovered vulnerabilities. Findings are validated through observation and analysis, not through proof-of-concept execution against production systems.
• No authentication bypass. ZT does not attempt to log in, circumvent access controls, or leverage credentials - whether discovered or otherwise - to access restricted systems or data.
• No data access, download, or exfiltration. ZT does not access, retrieve, copy, or retain any data belonging to the affected organization, its clients, or its users. If sensitive data is visible in the course of passive observation, ZT documents the exposure without accessing the underlying data stores.
• No destructive operations. ZT does not modify, delete, or disrupt any systems, services, or data.

Limited Validation Exception. In narrowly defined circumstances, ZT may depart from the baseline constraints above. Where initial external observation reveals a critical exposure that poses immediate risk to identifiable individuals - such as plaintext credentials accessible without authentication - ZT may conduct limited validation testing, restricted to the minimum interaction necessary to confirm severity and impact. Validation is performed only when passive observation alone is insufficient to establish the nature and scope of the risk. Any validation steps taken are documented transparently in the disclosure report delivered to the affected organization. Limited validation does not extend to lateral movement, privilege escalation, data exfiltration beyond what is necessary to evidence the finding, or any action that could cause harm to the affected organization or its users.

This methodology is consistent with widely accepted norms for good-faith security research as described by the U.S. Department of Justice's 2022 policy on charging cases under the Computer Fraud and Abuse Act, the CERT/CC vulnerability disclosure guidelines, and ISO 29147 (Vulnerability Disclosure).

03 Initial Notification

When ZT identifies a finding of sufficient severity to warrant disclosure, ZT will:

• Prepare a written report documenting the finding, including technical details, assessed severity, potential impact, and recommended remediation steps. Each report is assigned a unique tracking number for reference throughout the disclosure process.
• Identify the appropriate security contact at the affected organization. ZT prioritizes direct communication with the organization's security team through designated security contacts.
• Deliver the report through secure channels. ZT prefers encrypted email (PGP/GPG) or other secure communication methods. Where encrypted channels are not available, ZT will use the most secure means reasonably available and will limit sensitive technical details until a secure channel is established.
• Confirm receipt. ZT will seek explicit confirmation that the report has been received and routed to the appropriate team. The coordinated disclosure window begins on the date the report is delivered to the organization, regardless of internal routing delays.

04 Coordinated Disclosure Window

ZT follows a 90-day coordinated disclosure window beginning from the date of initial notification. This window is consistent with industry standards established by Google Project Zero, the CERT Coordination Center (CERT/CC), and other respected disclosure frameworks.

During this window:

• The finding remains confidential between ZT and the notified organization (subject to the exceptions described in Sections 7 and 9).
• ZT will not publish, present, or otherwise publicly disclose the finding.
• ZT expects the affected organization to acknowledge receipt, engage in good-faith communication regarding remediation progress, and take reasonable steps to address the identified exposure.

Extensions. ZT will grant reasonable extensions to the 90-day window when the affected organization demonstrates active, good-faith remediation efforts and communicates openly about timelines and obstacles. Extension requests should be made in writing before the window expires.

Early disclosure. ZT reserves the right to shorten the disclosure window if there is evidence that the vulnerability is being actively exploited in the wild, that the organization is acting in bad faith, or that continued non-disclosure poses an imminent risk to public safety or to affected third parties. Before invoking early disclosure, ZT will notify the affected organization and provide a reasonable opportunity to respond, except where delay would result in imminent harm to identifiable individuals.

05 Remediation Verification

ZT offers remediation verification to all notified organizations. Once an organization reports that remediation is complete, ZT will:

• Conduct passive re-observation to confirm that the identified exposures are no longer present.
• Provide written confirmation of successful remediation or, if residual issues remain, a supplemental report detailing outstanding concerns.

An initial verification pass is offered as part of the coordinated disclosure process. Comprehensive remediation validation, ongoing monitoring, and extended assessment services are available under separate engagement terms. Remediation verification follows the same external-observation methodology described in Section 2.

06 Escalation Protocol

If an affected organization does not respond to or engage with ZT's initial notification, ZT will escalate as follows:

Timeline	Action
Day 7	Follow-up communication to the original point of contact, reiterating the finding and requesting acknowledgment.
Day 14	Escalation to senior security leadership (CISO or equivalent) through an alternate communication channel if necessary.
Day 30	If the finding involves material risk to identifiable third parties, ZT may notify those third parties directly, limited to information necessary for them to assess and mitigate their own risk.
Day 60	If the finding involves exposures that may trigger regulatory notification obligations, ZT may notify relevant regulatory or coordinating authorities.
Day 90	Public disclosure of the finding. ZT will publish a technical summary of the vulnerability, remediation recommendations, and a timeline of disclosure communications.

All timeline references are measured from the date of initial notification. Each escalation step is subject to the good-faith extension provisions described in Section 4. The escalation protocol applies when an affected organization has not acknowledged or meaningfully engaged with the disclosure. Organizations that are actively communicating and demonstrating good-faith remediation efforts are governed by the standard 90-day window and extension provisions in Section 4.

07 Affected Third Parties

Security findings sometimes reveal risk that extends beyond the notified organization to its clients, partners, vendors, or end users. ZT recognizes a duty of care toward these third parties.

If ZT's findings indicate that identifiable third parties face material security risk as a direct consequence of the discovered vulnerability, and the primary organization fails to demonstrate adequate remediation progress or to notify affected third parties within a reasonable period, ZT reserves the right to:

• Notify affected third parties directly, limited to information necessary for them to assess their own exposure and take protective action.
• Coordinate with relevant industry ISACs, CERTs (including the CERT Coordination Center), or other coordinating bodies to facilitate responsible notification.

ZT will always prefer to work with the primary organization to handle third-party notification jointly. Direct third-party notification is a measure of last resort, employed only when continued non-action poses an unacceptable risk to parties that have no other means of learning about the exposure.

08 Legal and Ethical Framework

• Voluntary and independent. All unsolicited research is self-initiated and conducted independently. Where an organization operates a formal bug bounty or vulnerability disclosure program, ZT may participate under that program's terms. ZT also conducts research under contract or at the direction of clients where separately agreed in writing.
• Disclosure is not contingent on compensation. ZT's decision to disclose a finding is never contingent on payment, bounty, or other compensation. Findings are reported because they should be reported, regardless of commercial outcome. However, ZT is a professional security research firm and may propose follow-on services - including remediation support, comprehensive assessment, or ongoing monitoring - following the initial disclosure. Any commercial proposal is separate from and independent of the disclosure itself.
• No data retention. ZT does not retain any data belonging to affected organizations or their stakeholders beyond what is necessary to document the finding for disclosure purposes.
• Good faith. ZT operates in good faith at all times. The purpose of disclosure is to help organizations improve their security posture and to protect the people who depend on their systems.
• Legal compliance. ZT conducts its research in a manner consistent with applicable law and with widely accepted norms for good-faith security research.
• Legal framework. ZT's research methodology is consistent with the U.S. Department of Justice's 2022 policy regarding charging cases under the Computer Fraud and Abuse Act, which recognizes that good-faith security research should not be prosecuted. ZT's activities align with the coordinated vulnerability disclosure frameworks published by the CERT Coordination Center (CERT/CC) and the International Organization for Standardization (ISO 29147).

09 Confidentiality

ZT treats all findings as confidential from the moment of discovery. During the coordinated disclosure window:

• Findings are shared only with the affected organization and, where applicable, with affected third parties or coordinating authorities as described in Sections 6 and 7.
• ZT will not discuss findings with media, publish technical details, or present findings at conferences.
• ZT will not use findings for competitive intelligence or any purpose other than supporting the affected organization's remediation and security improvement. ZT may propose professional services to the affected organization based on identified findings, as described in Section 8.

Following the expiration of the disclosure window, if the affected organization has not remediated the finding and has not engaged in good-faith communication, ZT may publish a disclosure report. Published reports will include technical details sufficient for the security community to understand the nature of the vulnerability and recommended mitigations. ZT will make reasonable efforts to avoid including information that could directly enable exploitation.

If the affected organization successfully remediates the finding during the disclosure window, ZT will coordinate with the organization on the timing and content of any public acknowledgment, and will credit the organization's responsive handling where appropriate.

10 Report Retention and Record-Keeping

ZT maintains internal records of all disclosed findings, including report contents, delivery confirmations, correspondence, and remediation outcomes. These records are retained to support traceability, demonstrate good-faith conduct, and enable follow-up if issues resurface or remain unaddressed.

Retained records consist of ZT-authored reports, delivery confirmations, and correspondence logs, and do not include data belonging to the affected organization, its clients, or its users. These records are stored securely and are not shared with any party outside of ZT unless required by law, compelled by legal process, or necessary to support the provisions described in Sections 6 and 7 of this policy.

11 Report Ownership and Intellectual Property

All reports, analyses, and supporting materials produced by ZT in connection with security research and disclosure are the exclusive intellectual property of ZERO|TOLERANCE Security Research. This includes, without limitation, written findings, severity assessments, remediation guidance, methodology descriptions, and any supplemental materials delivered to affected organizations or their designated recipients.

• Attribution. ZT reports must be attributed to ZERO|TOLERANCE Security Research at all times. No party may present, represent, or imply that a ZT report is the work of any other individual or organization.
• No rebranding or modification. ZT reports may not be altered, rebranded, or stripped of ZT attribution, report identifiers, or other provenance markers. Reports must be delivered and shared in the form provided by ZT.
• No unauthorized redistribution. ZT reports may be shared only with the intended recipients identified by ZT at the time of delivery. Further distribution requires ZT's prior written authorization.
• No independent commercialization. No party may use a ZT report, or information derived from a ZT report, to establish, negotiate, or support their own consulting, advisory, or commercial relationships with any affected organization without ZT's express written consent.
• Traceability. Each copy of a ZT report may contain unique identifiers, watermarks, or other traceability mechanisms. These identifiers may not be removed or obscured.
• Enforcement. Violation of these terms may result in immediate termination of the disclosure or working relationship, public attribution correction, and pursuit of all available legal remedies.

These provisions apply to all parties who receive, handle, or transmit ZT reports, including intermediaries, delivery agents, and designated points of contact acting on ZT's behalf.

12 Contact