Security disclosure policy — GLP1Zoom

How to report

Email [email protected]. PGP key available at /.well-known/pgp-key.txt. Machine-readable contact data lives at /.well-known/security.txt (RFC 9116).

Scope (in-scope)

glp1zoom.com and all subdomains under our control
Public APIs at /api/*
Payload CMS admin at /admin
Affiliate redirect handlers at /api/affiliate/*
End-user authentication + magic-link flow
Community Q&A + provider-review submission endpoints

Out of scope

Denial-of-service or volumetric attacks
Findings from automated scanners without manual validation
Missing security headers without demonstrated impact (we already enforce CSP, HSTS, X-Frame-Options)
Findings against affiliate-partner properties (please contact them directly)
Social engineering of GLP1Zoom staff, customers, or partners; physical security
SPF/DKIM/DMARC misconfigurations on parked / non-mail subdomains

Response timeline

Acknowledgment: within 3 business days of report receipt
Triage + severity assessment: within 7 business days
Remediation target: 30 days for critical, 60 days for high, 90 days for medium/low
Public disclosure:coordinated — we'll agree a window with the reporter, default 90 days

Safe harbor

GLP1Zoom will not pursue legal action against researchers who:

Make a good-faith effort to comply with this policy
Avoid privacy violations and destructive testing (no real-user data)
Do not compromise the integrity of patient information, affiliate-partner systems, or third-party services
Do not publicly disclose before a coordinated window expires

We will publicly credit reporters in our hall of fame unless anonymity is requested.

What we don't offer (yet)

We don't currently run a paid bounty program. Reports are voluntary and appreciated; credit and swag where appropriate.

PII handling

If a finding involves real user data, do NOT exfiltrate, modify, or share it. Describe the issue, redact any sensitive fields, and stop probing. We will reproduce in our staging environment with synthetic data.

Last updated 2026-06-03. Policy effective until superseded.

Out of scope

Denial-of-service or volumetric attacks

Findings from automated scanners without manual validation

Missing security headers without demonstrated impact (we already enforce CSP, HSTS, X-Frame-Options)

Findings against affiliate-partner properties (please contact them directly)

Social engineering of GLP1Zoom staff, customers, or partners; physical security

SPF/DKIM/DMARC misconfigurations on parked / non-mail subdomains

Safe harbor

GLP1Zoom will not pursue legal action against researchers who:

Make a good-faith effort to comply with this policy

Avoid privacy violations and destructive testing (no real-user data)

Do not compromise the integrity of patient information, affiliate-partner systems, or third-party services

Do not publicly disclose before a coordinated window expires

We will publicly credit reporters in our hall of fame unless anonymity is requested.