← Security overview

Responsible Disclosure Policy

We take the security of our platform seriously. If you believe you have found a vulnerability, we want to hear from you.

📜

Coordinated disclosure policy

Zelix AI (InterIP Networks BV) operates a coordinated vulnerability disclosure programme. We commit to the following:

We will acknowledge receipt of your report within 5 business days.
We will investigate and, where confirmed, patch the vulnerability within a 90-day window from the date of acknowledgement.
We ask you not to disclose the vulnerability publicly before the 90-day window has elapsed and we have confirmed the fix is deployed.
If a patch cannot be delivered within 90 days, we will agree a mutual extension with you in writing.
We will not pursue legal action against researchers who follow this policy in good faith.

🕐

Disclosure process

Submit your report

Send a clear description of the vulnerability, steps to reproduce, affected URL/component and potential impact to security@zelixai.ai. PGP-encrypted reports are welcome.

Acknowledgement (within 5 business days)

We confirm receipt and begin triage. We will ask clarifying questions if needed.

Fix and verify (within 90 days)

We patch the issue and invite you to verify the fix where practicable. We keep you informed of progress.

Coordinated public disclosure

After the fix is confirmed, we publish a security advisory (if warranted) and — with your permission — credit you in our hall of fame.

📧

Contact

🔐

Security email

security@zelixai.ai
PGP key: See security.txt (PGP key — TODO: publish key once generated)

Machine-readable policy: /.well-known/security.txt (RFC 9116)

Please do not discuss potential vulnerabilities in public channels (GitHub, social media, forums) before coordinating with us.

🚫

Out of scope

The following are outside the scope of our programme and will not be rewarded or acknowledged:

✗

Denial-of-service attacks (volumetric or application layer)

✗

Phishing, typosquatting or social-engineering attacks against Zelix AI employees or customers

✗

Social engineering of support staff

✗

Physical security vulnerabilities

✗

Email spam / SPF-DKIM misconfiguration reports without demonstrated exploitation

✗

Automated scanner output without manual verification

✗

Vulnerabilities in third-party services we use (report directly to the vendor)

✗

Self-XSS requiring the victim to enter their own malicious input

🏆

Hall of fame

We gratefully acknowledge the following researchers who have responsibly disclosed vulnerabilities to us:

🏆

No entries yet — be the first to be recognised!

Researchers who disclose a valid, in-scope vulnerability and consent to be named will appear here after coordinated disclosure.

Found a vulnerability?

Send your report to security@zelixai.ai — we'll get back to you within 5 business days.

Report a vulnerability →