We welcome responsible reports of security vulnerabilities in our systems.
If you believe you've found a potential issue, please contact us at security@zasta.de. To help
protect sensitive information, we strongly encourage you to encrypt your message using our
provided PGP key.
To support an efficient review process, please include a clear description of the issue, steps
to reproduce it, and, if possible, non-destructive evidence of its impact or exploitability.
We usually acknowledge all reports within three working days.
The following activities are strictly prohibited:
These activities are strictly prohibited:
- Denial-of-Service (DoS or DDoS) attacks
- Automated vulnerability scanning
- Social engineering
- Physical access attempts or intrusion testing
- Disrupting production systems or impacting other users
- Accessing, downloading, modifying, or deleting data or systems beyond what is necessary to demonstrate a vulnerability

We do not offer rewards for low-risk issues (e.g. missing HTTP headers), for findings already
known to us, or for submissions that cannot be reproduced. There is no guaranteed
entitlement to a bounty. Any reward is determined on a case-by-case basis, depending on
severity, impact, and overall quality of the report.
If you report a security issue in good faith and handle the information responsibly, including
not causing harm, avoiding unnecessary disruption, and keeping all details confidential until
we have had a chance to respond and fix them, we will not pursue legal action. We are
committed to treating security researchers with respect and fairness.
Thank you for helping us improve the security of our systems.