Security Policy
Last Updated: March 27, 2026
Our Commitment to Security
At ZhenSkill, we take the security of our platform and your data seriously. This Security Policy outlines our security practices, how we protect your information, and how to report security vulnerabilities.
Security Contact
Report Security Issues
If you discover a security vulnerability, please report it to:
Response Time: We aim to acknowledge reports within 24 hours
Please do NOT:
- Disclose the vulnerability publicly before we've had a chance to fix it
- Access, modify, or delete data belonging to other users
- Perform actions that could harm the platform or our users
- Test vulnerabilities on production systems without permission
Vulnerability Disclosure Program
Scope
The following are within scope for vulnerability reports:
- www.zhenskill.com - Main website and all subdomains
- API Endpoints - /api/* routes
- Authentication System - Login, signup, password reset
- Skill Installation - Skill download and installation mechanisms
- Workspace Gateway and Purchases - Post-login routing, buyer delivery, and account access features
- Payment Processing - If/when implemented
Out of Scope
- Social engineering attacks
- Physical attacks against our infrastructure
- Denial of Service (DoS/DDoS) attacks
- Spam or social engineering of ZhenSkill employees
- Issues in third-party services we use (report to them directly)
- Recently disclosed vulnerabilities (give us time to patch)
Safe Harbor
We support safe harbor for security researchers who:
- Report vulnerabilities responsibly to security@zhenskill.com
- Give us reasonable time to fix issues before public disclosure
- Don't exploit vulnerabilities beyond what's necessary to demonstrate the issue
- Don't access, modify, or delete data belonging to others
- Act in good faith
We will not: Pursue legal action against researchers who follow these guidelines.
How to Report a Vulnerability
What to Include
Please provide as much information as possible:
- Description: Clear description of the vulnerability
- Impact: What could an attacker do with this vulnerability?
- Steps to Reproduce: Detailed steps to reproduce the issue
- Proof of Concept: Screenshots, videos, or code demonstrating the issue
- Environment: Browser, OS, or other relevant environment details
- Suggested Fix: If you have ideas for remediation (optional)
Report Template
**Vulnerability Report** Severity: [Critical/High/Medium/Low] Type: [XSS/SQL Injection/CSRF/etc.] ## Description [Clear description of the vulnerability] ## Impact [What can an attacker do?] ## Steps to Reproduce 1. [First step] 2. [Second step] 3. [...] ## Proof of Concept [Screenshots, code, or video links] ## Suggested Remediation [Your suggestions if any] ## Your Contact Info Name: [Your name or handle] Email: [Your email]
Our Response Process
- Acknowledgment (24 hours): We'll confirm receipt of your report
- Assessment (3-5 days): We'll evaluate severity and impact
- Resolution Timeline (varies):
- Critical: 24-48 hours
- High: 7 days
- Medium: 30 days
- Low: 90 days
- Disclosure: We'll coordinate disclosure timing with you
- Recognition: We'll credit you (if desired) in our security acknowledgments
Our Security Measures
Infrastructure Security
- Hosting: Secure cloud infrastructure with automated backups
- Encryption: TLS 1.3 for all data in transit
- Database: Encrypted at rest, row-level security policies
- Authentication: Bcrypt password hashing, session management
- API Security: Rate limiting, input validation, CSRF protection
Application Security
- Input Validation: All user inputs sanitized and validated
- XSS Protection: Content Security Policy (CSP) headers
- SQL Injection: Parameterized queries, ORM usage
- CSRF Protection: Anti-CSRF tokens on all state-changing requests
- Authentication: Multi-factor authentication support (coming soon)
Operational Security
- Access Control: Principle of least privilege for all systems
- Logging: Comprehensive logging for security monitoring
- Monitoring: 24/7 automated security monitoring
- Incident Response: Documented incident response procedures
- Backups: Daily encrypted backups with point-in-time recovery
Skill Security
Important: All skills published on ZhenSkill undergo security review before publication.
Our skill review process includes:
- Automated static code analysis
- Dependency vulnerability scanning
- Manual code review for critical skills
- Sandboxed execution testing
- API key handling verification
Incident Response
If We Discover a Breach
In the event of a security incident affecting user data:
- Immediate Response: Contain and assess the incident
- Notification (72 hours): Notify affected users and authorities as required by GDPR
- Transparency: Publish incident report detailing what happened
- Remediation: Implement fixes and additional safeguards
- Post-Mortem: Conduct thorough review and implement improvements
What We'll Tell You
- What data was affected
- When the incident occurred
- What we're doing about it
- What you should do (if anything)
- How to get more information
Best Practices for Users
Protect Your Account
- Use a strong, unique password (12+ characters, mixed case, numbers, symbols)
- Enable two-factor authentication when available
- Don't share your password or API keys
- Log out of shared computers
- Keep your email account secure (it's used for password reset)
When Installing Skills
- Review skill permissions before installing
- Only install skills from trusted authors
- Check skill ratings and reviews
- Use environment variables for API keys (don't hardcode)
- Regularly review installed skills and remove unused ones
Recognize Phishing
- We'll never ask for your password via email
- Always verify the sender's email address
- Check for HTTPS and correct domain (zhenskill.com)
- Be suspicious of urgent requests
- When in doubt, navigate directly to zhenskill.com (don't click email links)
Security Updates
We regularly update our security measures and will notify users of significant changes. Subscribe to our security mailing list for updates:
Security Updates: Email security@zhenskill.com with subject "Subscribe to Security Updates"
Security Acknowledgments
We're grateful to the following security researchers who have responsibly disclosed vulnerabilities:
Hall of Fame coming soon. Be the first to report a vulnerability!
Compliance and Certifications
Our security practices are designed to comply with:
- GDPR: European data protection regulations
- CCPA: California Consumer Privacy Act
- SOC 2 Type 2: (via Supabase infrastructure)
- OWASP Top 10: Protection against common vulnerabilities
Contact Us
For security-related questions or concerns:
- Security Issues: security@zhenskill.com
- Privacy Questions: privacy@zhenskill.com
- General Support: support@zhenskill.com
Security is a Shared Responsibility
While we work hard to keep ZhenSkill secure, security is a partnership between us and our users. Follow best practices, stay informed, and report issues when you find them. Together, we can keep our community safe.
Related Policies: Privacy Policy | Terms of Service | Cookie Policy