Effective April 7, 2026

Responsible Disclosure Policy

At DayZero, security is foundational to everything we build. We value the work of independent security researchers and welcome responsible disclosure of vulnerabilities. If you believe you've found a security issue in our platform, we want to hear from you.

1. Introduction

DayZero Payments, Inc. (“DayZero,” “we,” “us,” or “our”) is committed to maintaining the security and integrity of our platform, our users' data, and the financial systems we power. We operate a responsible disclosure program to encourage security researchers to help us identify and resolve vulnerabilities before they can be exploited.

We believe that coordinated disclosure benefits everyone — researchers, our customers, and the broader community. We pledge to work with you in good faith if you follow this policy.

2. Scope

In Scope

  • The DayZero web application (app.dayzero.com)
  • DayZero public API endpoints (api.dayzero.com)
  • Authentication and authorization flows
  • Payment processing and financial data handling
  • The DayZero marketing site (dayzero.com)

Out of Scope

  • Third-party services and integrations (e.g. Plaid, Stripe, Clerk)
  • Social engineering or phishing attacks against DayZero employees or users
  • Physical attacks against DayZero offices or data centers
  • Denial of service (DoS/DDoS) attacks
  • Automated vulnerability scanning that degrades service performance
  • Attacks against infrastructure we do not own or operate

3. Reporting a Vulnerability

Use the report form below to submit vulnerability reports. Please include as much detail as possible:

  • Description — A clear summary of the vulnerability and which systems are affected.
  • Reproduction steps — Detailed, step-by-step instructions to reproduce the issue.
  • Impact assessment — Your evaluation of the potential impact (e.g. data exposure, privilege escalation).
  • Proof of concept — Any code, screenshots, or video recordings that demonstrate the vulnerability.
  • Your contact information — So we can follow up and coordinate a fix.

Please do not include sensitive customer data in your report. If the vulnerability involves access to real data, describe what you observed without sharing the data itself.

4. Response Timeline

We are committed to responding to all valid reports promptly. Here is what you can expect:

  • Acknowledgment: Within 2 business days of receiving your report.
  • Triage & Assessment: Within 10 business days, we will provide an initial severity assessment and let you know if the issue qualifies for a reward.
  • Resolution: We aim to remediate confirmed vulnerabilities as quickly as possible, typically within 90 days.
  • Disclosure: We follow a 90-day coordinated disclosure window. We will work with you on the timing and content of any public disclosure after a fix is deployed.

5. Reward Tiers

Rewards are determined based on the severity of the vulnerability, the quality of the report, and the potential impact on DayZero and our users. All reward amounts are at DayZero's sole discretion.

Critical$500 – $2,000

Remote code execution, authentication bypass, unauthorized access to financial data, mass data exfiltration.

High$200 – $500

Privilege escalation, stored cross-site scripting (XSS), server-side request forgery (SSRF), significant information disclosure.

Medium$50 – $200

Cross-site request forgery (CSRF), moderate information disclosure, insecure direct object references with limited impact.

LowRecognition

Minor misconfigurations, low-impact information disclosure, issues requiring unlikely user interaction chains.

Rewards are paid via bank transfer or gift card at the researcher's preference. Researchers outside the United States may be subject to additional verification requirements.

6. Safe Harbor

DayZero will not pursue civil or criminal action against researchers who discover and report security vulnerabilities in good faith and in compliance with this policy. Specifically:

  • We consider research conducted under this policy to be authorized under the Computer Fraud and Abuse Act (CFAA), the DMCA, and equivalent state laws.
  • We will not file a complaint against you for circumventing technology measures if your actions were in good faith and limited to testing our systems.
  • If a third party initiates legal action against you for activities that were conducted in accordance with this policy, we will take steps to make it known that your actions were authorized.
  • This safe harbor does not apply to activities that involve accessing other users' data without their consent, causing damage to our systems, or violating any law beyond the scope of security research.

7. Rules of Engagement

To qualify for safe harbor protections and rewards, you must adhere to the following rules:

  • Test only on accounts you own or have explicit written permission to test.
  • Do not access, modify, or delete data belonging to other users. If you accidentally access someone else's data, stop immediately and report it.
  • Do not degrade service availability. Avoid high-volume automated scanning, brute-force attacks, or any activity that could impact system performance for other users.
  • No social engineering. Do not target DayZero employees, contractors, or customers with phishing, pretexting, or other social engineering techniques.
  • Do not publicly disclose the vulnerability until we have confirmed a fix is in place and agreed on a disclosure timeline.
  • Comply with all applicable laws in your jurisdiction and ours.

8. Non-Qualifying Vulnerabilities

The following issues are generally not eligible for rewards, though we still appreciate reports if you believe they represent a genuine risk:

  • Software version or server banner disclosure
  • Missing non-critical HTTP security headers (e.g. X-Frame-Options on non-sensitive pages)
  • Self-XSS (cross-site scripting that only affects the researcher's own session)
  • Clickjacking on pages with no sensitive actions
  • Password or authentication policy opinions (e.g. minimum length requirements)
  • Rate limiting on non-authentication endpoints
  • Missing email verification or SPF/DKIM/DMARC configuration details
  • Content injection without a demonstrated security impact
  • Issues in third-party dependencies with no demonstrated exploitability in our environment
  • Vulnerabilities requiring physical access to a user's device

9. Recognition

With your permission, we will publicly acknowledge your contribution on a dedicated hall of fame. Researchers who have helped secure DayZero will be credited by name (or handle) unless they prefer to remain anonymous.

We believe in celebrating the security community. Your work makes the internet safer for everyone.

10. Submit a Vulnerability Report

Use the form below to submit your report. All submissions go to our security team and will be treated as confidential.

Screenshots / proof-of-concept images

Drag & drop images here, or browse

PNG, JPG, GIF, or WebP · max 5 files · 5 MB each

If you have questions about this policy or need to reach us outside of the form, email security@dayzero.com.

Thank you for helping us keep DayZero and our customers safe.