If you find a security issue with any ZX systems, please tell us so that we can get it fixed.
Our goal is to protect our staff and customers' privacy. That means encouraging people to tell us about vulnerabilities and getting them fixed as soon as possible. We want to work with anyone who tells us about vulnerabilities in our systems.
ZX uses a range of services from various providers. If the vulnerability is in a vendor's product or service then we will need to pass the information on to them. We will not pass on your personal information including your contact details without your permission.
Please contact the ZX security team immediately.
Email us at firstname.lastname@example.org. Our emails are monitored Monday to Friday, 08:00 - 17:30 (NZT) and we'll respond to you within one working day.
If you want to encrypt your email our public key is available at https://zxsecurity.co.nz/pgp-key-security.txt.
Please tell us as much as you can about your finding without doing any further work on the vulnerability. This could include:
- Type of vulnerability
- Whether the vulnerability has been published or shared with others
- Affected systems, products and versions
- Affected configurations
- Step-by-step instructions, screenshots or proof-of-concept code to replicate your finding
- If personal information was exposed
- What has happened with any personal information exposed
We will acknowledge receipt of your email as soon as possible and give you an update on the progress of our investigation within 5 working days.
We will look at the reported vulnerability and work with any service provider to validate your finding.
We will notify you of what our investigation found and what we decided to do.
We aim to address all vulnerabilities as quickly as possible but may rely on third party suppliers and the terms of any contract.
Some types of behaviour are not reasonable research approaches. Please do not act in ways that can cause harm. This can include:
- Denial of Service (DoS/DDoS) attacks
- Accessing data or information that does not belong to you. Once you see there is a problem that exposes information, please do not look for more information, one example is enough
- Destroying or corrupting data or information that does not belong to you
- Sharing or publishing any personal information that you have obtained
Please do not share with others any vulnerability that you find until we’ve had the opportunity to fix it. We don’t want others trying to exploit the vulnerability.
Please do not share any personal information obtained from ZX as that could cause harm to individuals. Publishing or sharing personal information may be considered a breach of the New Zealand Privacy Act and could expose you to liability.
If you act in good faith and follow these guidelines then ZX make the following commitments to you:
- The information that you share with us as part of this process will be kept confidential within ZX and our directly contracted suppliers
- Your personal information including contact details will not be shared with third-parties without your permission
- We will not initiate legal action against people attempting to find vulnerabilities within our systems who adhere to these guidelines.