GoZupees Responsible Disclosure Policy

At SILICON BIZTECH LIMITED, trading as GoZupees (hereinafter, "GoZupees"), ensuring the safety and security of our customer's data and the reliability of our products are of utmost importance to us. Therefore, we strive to design and create products with the highest levels of security and reliability. Despite our best efforts, our products and services may still contain vulnerabilities and errors due to their highly complex and sophisticated nature.

Purpose

This policy outlines GoZupees's methods for identifying and addressing potential vulnerabilities and errors in its products. It encourages external parties to report any issues they may encounter while using our products so that we can promptly investigate and resolve them. GoZupees encourages customers, users, researchers, partners, and anyone else who interacts with GoZupees' products to report any identified vulnerabilities or errors with such products.

Submitting a Report

The preferred method of contacting GoZupees regarding vulnerabilities and errors is sending your report to security@gozupees.com. Please include the following details with your report:

• Description of the location and potential impact of the exposure;
• A detailed description of the steps required to reproduce the vulnerability (POC scripts, screenshots, and compressed screen captures are all helpful to us); and
• Your name/handle and a link for recognition in our Hall of Fame (optional).

Providing your name and contact information is entirely at your discretion. GoZupees values all reports, whether anonymous or not. Should you provide contact information, we will only use it to seek clarification on your report and for recognition purposes.

What to Expect

GoZupees will endeavor to acknowledge the receipt of your report within three (3) working days of submission. We will keep you informed of our progress and the completion of any remediation actions. By submitting a report, you agree that GoZupees may use your report for any relevant purpose, including correcting any vulnerabilities. If you propose any changes or improvements, you assign all ownership and usage rights of those proposals to GoZupees.

Guidelines for Responsible Disclosure

Scope

• *.gozupees.com
• app.gozupees.com

Out-of-Scope Vulnerabilities

Any services hosted by third-party providers are excluded from the scope. The following test types are also excluded:

• Denial of service (DoS or DDoS)
• Spamming
• Social engineering (including phishing) of GoZupees staff or contractors
• Any physical attempts against GoZupees property or data centers
• Content spoofing / text injection
• Self-XSS
• Low-severity Cross-Site Request Forgery (e.g., logout CSRF)
• Open redirects with low security impact
• Missing HTTP security headers (unless they lead to a direct vulnerability)
• Missing cookie flags on non-sensitive cookies
• Password and account recovery policies (e.g., password complexity, reset link expiration)
• Invalid or missing SPF/DKIM/DMARC records
• SSL/TLS best practices or configuration issues
• Clickjacking/UI redressing with no practical security impact
• Username/email enumeration

Rules of Engagement

You will not:

• Exploit discovered vulnerabilities for any purpose other than reporting.
• Intentionally harm GoZupees, its customers, employees, or partners.
• Use, misuse, delete, alter, or destroy any data you might access.
• Conduct social engineering, spamming, phishing, or DoS attacks.
• Test the physical security of any GoZupees property.
• Breach any applicable laws or regulations.
• Disclose any information about your report or the vulnerability to a third party.
• Demand any form of compensation for your report.

You will:

• Make every effort to avoid privacy violations, degradation of user experience, and disruption to production systems.
• Perform research only within the defined scope.
• Keep any information you receive or collect about GoZupees or its users confidential.