2 Zyg-Squared
Security

How we build, and how to tell us when we got it wrong.

Security work is not a marketing surface for us. This page is here so researchers know how to reach us, and so clients can see what we actually do.

Reporting a vulnerability

Email support@zyg-squared.com with:

  • A description of the issue and the affected component
  • Steps to reproduce
  • Your assessment of impact
  • How you’d like to be credited, if at all

Acknowledgement within three business days. A remediation timeline for confirmed issues within ten business days.

A machine-readable contact card is published at /.well-known/security.txt.

Scope

In scope:

  • zyg-squared.com and subdomains we operate
  • Published Zyg-Squared LLC iOS and Android applications

Out of scope:

  • Third-party services we integrate with — report to them directly
  • Social-engineering, physical, or denial-of-service testing
  • Automated scanning that generates significant traffic

Safe harbor

Good-faith security research conducted under this policy is authorized. We will not pursue legal action against researchers who avoid privacy violations, only interact with accounts they own or have permission to test, and give us a reasonable window to remediate before public disclosure.

Engineering practices

The defaults we apply to client work and to this site itself:

  • Infrastructure in Terraform, reviewed via pull request before any apply
  • GitHub Actions deploy via OIDC — no long-lived AWS keys checked anywhere
  • Least-privilege IAM scoped per workload, MFA required on all human accounts
  • HSTS preload, strict Content Security Policy, modern TLS only
  • S3 buckets private by default, CloudFront via Origin Access Control
  • Access logs retained for 365 days, archived to Glacier after 90
  • Pre-commit secret scanning (gitleaks) and Terraform validation
  • Dependencies reviewed for advisories before release; transitive dev-only advisories tracked but not blocking

Incident handling

If we discover or are notified of a confirmed security incident affecting personal data we process, we notify affected individuals and relevant authorities consistent with the legal obligations of the data’s jurisdiction. For Zyg-Squared-operated services, we publish a post-incident summary at /.well-known/incidents/ when an incident has user-facing impact.