Trust Center
Security posture, transparency, and due diligence information for enterprise buyers.
Site Security Posture
| Control | Status |
|---|---|
| HTTPS Enforcement (HSTS) | Enabled (1 year, includeSubDomains) |
| X-Frame-Options | DENY |
| X-Content-Type-Options | nosniff |
| Referrer-Policy | strict-origin-when-cross-origin |
| Permissions-Policy | Restricted (camera, mic, geo, payment off) |
| Content-Security-Policy | Enforced |
| Server-side Script Execution | Blocked (public pages static; admin panel IP-restricted) |
| Debug Endpoints | Blocked (403/410 for debug/test paths) |
| Directory Listing | Disabled |
Third-Party Services
Minimal third-party dependencies by design. We rely on standard web server access logs for security monitoring — no third-party analytics services or tracking pixels.
| Service | Purpose | Data | Load |
|---|---|---|---|
| Formspree | Contact form | Name, email, message | On submit only |
| CARTO (basemaps) | Map tiles | IP (tile request) | On-demand (click-to-load) |
| ipinfo.io | IP geolocation | IP address | Server-side lookup |
| GoDaddy hosting injection | Hosting provider monitoring (tccl.min.js) | None (blocked) | Blocked by CSP |
Leaflet mapping library is self-hosted. No external CDN dependency.
Known Limits
- 1.Map tile requests go to basemaps.cartocdn.com when the map is loaded. This is opt-in (click-to-load).
- 2.Contact form submissions are processed by Formspree. Alternative: email directly to sales@zerodaybugs.com.
- 3.External links (Calendly, Telegram, WhatsApp) redirect to third-party sites with their own privacy policies.
- 4.Hosting provider injection: GoDaddy injects a monitoring script tag (tccl.min.js) into HTML responses server-side. This script is blocked by our enforced Content Security Policy. The tag is visible in page source but is not loaded by our application code.
Release Discipline
Version Control
Deploys are versioned with changelog and SHA256 checksum.
Change Review
All public-facing content changes are diff-reviewed before deploy.
Claim Register
Public claims are tracked and verified before publication.
Evidence Packs
Structured evidence available under NDA for qualified buyers.
Vulnerability Disclosure
If you discover a security vulnerability in this website, please report it responsibly:
- Email: sales@zerodaybugs.com
- Security report acknowledgement target: within 1 business day
Please include reproduction steps and expected vs. actual behavior.
Evidence Manifest
Public evidence index available at /evidence/manifest.json
Full evidence packs (test outputs, coverage reports, hardening verification) available under NDA. Contact sales@zerodaybugs.com to initiate.