Security Policy

Security Policy - Summary

We reward cybersecurity researchers' responsible disclosures on a first-reported basis, only if they meet the strict eligibility criteria. Please read the full policy below.

Security Policy - Full

This Security Policy covers all of our websites and web applications. This website is operated by its developer ("we" or "us").

Introduction

Security is core to our values, and we value the input of hackers acting in good faith to help us maintain a high standard for the security and privacy of our users. This includes encouraging responsible vulnerability research and disclosure. This policy sets out our definition of good faith in the context of finding and reporting vulnerabilities, as well as what you can expect from us in return.

Scope: Eligible Cybersecurity Research Submissions

Only the following submissions are eligible for a reward:

• Domain Theft: Theft of domain name "ztzt.dev" or the creation of an unauthorized subdomain "ctf.ztzt.dev".
• Defacement: Defacement of the website at https://ztzt.dev or creation of an unauthorized webpage at "https://ztzt.dev/ctf.html".
• Data Theft: Theft of data from an underlying database, e.g., wp_ctf.db.
• Login Bypass: Unauthorized access bypassing the login restrictions of the website, e.g., login.php or forgot-password.php.
• Admin Privilege: Gaining root access to the web server, e.g., by creating a file at "/root/.ssh/ctf.txt" containing your email.
• Ransomware: Encrypt the file "/root/ctf/encryptme.doc" and prove by sending the decryption key.

Out-of-Scope: Submissions Not Eligible for a Reward

Anything not explicitly identified in the Eligibility section is ineligible. The following are explicitly prohibited:

• Availability Attacks (without prior permission): DoS, DDoS, DRDoS, or any other form of attack with or without botnets. Dedicated time slots for DDoS can be arranged.
• OSINT: Enumeration, reconnaissance, version disclosures.
• Supply Chain: Attacks on service providers and supply chain (e.g., Cloudflare, Vultr, AWS, GitHub).

Ground Rules

To encourage vulnerability research and avoid confusion between legitimate research and malicious attacks, we ask that you attempt, in good faith, to:

• Play by the rules, including following this policy and other relevant agreements.
• Report any vulnerability discovered promptly.
• Avoid violating the privacy of others, disrupting our systems, destroying data, or harming user experience.
• Use only the Official Channels to discuss vulnerability information with us.
• Handle the confidentiality of details of any discovered vulnerabilities according to our Security Policy.
• Perform testing only on in-scope systems and respect out-of-scope systems and activities.
• If a vulnerability provides unintended access to data: Limit access to the minimum required for a Proof of Concept; cease testing and submit a report immediately if you encounter user data, such as Personally Identifiable Information (PII), Personal Healthcare Information (PHI), credit card data, or proprietary information.
• Interact only with test accounts you own or with explicit permission from the account holder.
• Do not engage in extortion or blackmail via any social media, forum, or darknet.

Safe Harbor

When conducting vulnerability research according to this policy, we consider this research to be:

• Authorized under applicable anti-hacking laws, and we will not initiate or support legal action against you for accidental, good-faith violations of this policy.
• Authorized under relevant anti-circumvention laws, and we will not bring a claim against you for circumvention of technology controls.
• Exempt from restrictions in our Acceptable Usage Policy that would interfere with security research, with those restrictions waived on a limited basis.
• Lawful, helpful to the overall security of the Internet, and conducted in good faith.

You are expected to comply with all applicable laws. If legal action is initiated by a third party against you and you have complied with this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.

If you have concerns or are uncertain whether your security research is consistent with this policy, please submit a report through our Official Channels before proceeding further.

Other Conditions

All cybersecurity researchers are eligible for a reward, subject to the following conditions:

• Researchers under 18 must obtain prior permission from a parent or legal guardian, and rewards will be sent only to the parent/guardian. No payments to minors.
• No rewards will be paid in Bitcoin, other cryptocurrencies, Western Union, PayPal, or similar payment gateways.
• Payments will be made only to bank accounts with valid IBAN and BIC/Swift codes.
• No rewards will be paid to accounts in countries subject to international sanctions.

How to Claim Your Bug Bounty

Submit your report via email to security@ztzt.dev, including:

• Proof of eligibility.
• Steps to reproduce the vulnerability.
• Optional recommended remedy.

Upon verification, we will reply within two weeks. Complex attacks may require longer. Please do not make public disclosures without prior written permission.

Changes

This Security Policy may be updated periodically. Please check back regularly for changes.

Last updated: 22 June 2025