Responsible disclosure policy

Zuza is built on a foundation of human trust and technological precision. We combine certified Dating Guides with intelligent matching algorithms to create a dating platform where every member is verified and every interaction is protected. Even our Dating Guides cannot browse the full user database.

We believe that security researchers play a vital role in maintaining the integrity of our platform. If you discover a security vulnerability, we want to hear from you immediately so we can take action.

Safe Harbor (Our Commitment to You)

We value the work of ethical hackers. Zuza will not pursue civil action or initiate a complaint to law enforcement for accidental, good faith violations of this policy. If you follow these guidelines, we will treat your report with respect, urgency, and transparency.

Reporting Guidelines

To ensure a safe environment for our users and our platform, we require you to adhere to the following rules during your research:

  • Test only on your own accounts:
    Do not target, interact with, or compromise the accounts of other real Zuza users.
  • Stop at PII:
    If you accidentally encounter personally identifiable information (PII) or private messages of real users, you must stop your testing immediately, do not download or save the data, and report the vulnerability to us right away.
  • No disruptions:
    Do not perform Denial of Service (DoS/DDoS) attacks, aggressive automated scanning, or any actions that degrade the performance of our services.
  • No social engineering:
    Do not use phishing, social engineering, or physical security attacks against our team, Dating Guides, or infrastructure.
  • Keep it confidential:
    Do not publicly disclose the vulnerability until we have had a reasonable opportunity to address it (we request a standard 90-day disclosure window, though we aim to resolve critical issues much faster).
Out of Scope Vulnerabilities
  • Volumetric vulnerabilities (e.g., DoS/DDoS).
  • Vulnerabilities requiring physical access to a user's device.
  • Missing security headers or DMARC records that do not lead directly to an exploit.
How to Report a Vulnerability

Please report your findings directly to our security team at security@zuza.nl.

Include a clear description of the vulnerability, step-by-step instructions to reproduce it, and the potential impact.

We will acknowledge receipt of your report within three business days and keep you updated on the remediation process. Once we have deployed a fix, we will notify you before any public announcement.

Recognition and Appreciation

We highly appreciate researchers who help us protect our community.

For qualifying, previously unknown vulnerabilities, Zuza may offer a token of appreciation or bounty. We will discuss this with you directly after the vulnerability has been validated and resolved.