Security and Responsible Disclosure Policy
How to report security vulnerabilities to Zephyr Cloud and the boundaries for coordinated, good-faith security research.
Effective July 15, 2026
1. Overview
Zephyr Cloud welcomes good-faith security research that helps protect The AI Platform, the Miniapp SDK, our websites, hosted services, APIs, marketplace, and other systems we operate. This policy explains how to report a suspected vulnerability, the boundaries for authorized research, and how we approach coordinated disclosure.
Third-party services, customer-controlled systems, and miniapps not operated by Zephyr Cloud are outside this policy unless we expressly identify them as in scope.
2. Reporting a vulnerability
Send security reports to legal@theaiplatform.app. Use a subject line that begins with "Security report" and include:
- the affected product, endpoint, package, and version;
- clear reproduction steps and the observed security impact;
- the smallest proof of concept needed to confirm the issue, with sensitive information removed or redacted;
- any conditions required to reproduce the issue; and
- how we can contact you and whether you want public credit.
Do not include credentials, personal information, customer content, or other sensitive data unless we ask for it through an appropriate secure channel. If you encounter such data, stop testing, do not retain or share it, and tell us what happened.
3. Good-faith research and safe harbor
Research is in good faith when it is intended to identify and help remediate a security issue, follows this policy, avoids harm, and complies with applicable law. You must:
- test only your own accounts and data or systems you have express permission to test;
- make a reasonable effort to avoid privacy violations, service disruption, data loss, degraded performance, and harm to users or third parties;
- access, copy, alter, delete, or retain no more data than is minimally necessary to confirm the vulnerability;
- stop after confirming the issue, avoid persistence or lateral movement, and report it promptly;
- give us a reasonable opportunity to investigate and remediate before any public disclosure; and
- not demand payment, threaten disclosure, or engage in extortion.
If we determine that your research was conducted in good faith and in accordance with this policy, we will treat it as authorized security research and will not initiate or support legal action against you by Zephyr Cloud for that research. If a third party initiates legal action, we may, at our discretion, explain that your activity complied with this policy. This safe harbor does not bind third parties or law-enforcement authorities and does not excuse violations of applicable law.
5. Response and coordinated disclosure
We will make a reasonable effort to acknowledge a complete report, assess its impact, keep the reporter informed of material progress, and coordinate an appropriate disclosure timeline. Remediation time varies based on risk, complexity, affected parties, and dependencies. We may ask you to delay disclosure while remediation is underway.
This policy does not create a promise of payment, bounty, employment, response deadline, remediation deadline, or public credit. Any reward or recognition is solely at our discretion unless we separately agree in writing.
6. Changes and prior versions
We may update this policy prospectively. A new version applies no earlier than its stated effective date. We will publish the current effective date and retain dated versions at the version links on this page. Research is evaluated under the version in effect when the relevant activity occurred. We will provide additional notice where applicable law requires it.
7. Contact
Send vulnerability reports and security-policy questions to legal@theaiplatform.app.