Skip to main content

If you believe your organization meets the criteria to be eligible to receive vulnerability alerts please fill out the form below.

Criteria for Participation

  • Have a contact who will respond to emails within a week and understands how Zephyr is being used in the product.
  • Have a publicly listed product based on some release of Zephyr.
  • Have an actively monitored security email alias.
  • Accept the Zephyr Embargo Policy that is outlined below.

Removal: If a member stops adhering to these criteria after joining the list then the member will be unsubscribed.

More information on Zephyr’s Security and Disclosure practices can be found at Security.

Zephyr Embargo Policy:
The information members receive during embargo periods may be received on . Any information regarding embargoed vulnerabilities must not be made public, shared, nor even hinted at anywhere beyond the need-to-know within your specific team except with the list's explicit approval. This holds true until the public disclosure date/time that was agreed upon by the list. Members of the list and others may not use the information for anything other than getting the issue fixed for your respective product's users.

Before any embargoed information is shared with respective members of your team required to fix said issue, they must agree to the same terms and only find out information on a need-to-know basis.

In the unfortunate event a member shares the information beyond what is allowed by this policy, that member must urgently inform the mailing list of exactly what information leaked and to whom. A retrospective will take place after the leak so we can assess how to not make the same mistake in the future.

If the member continues to leak information and break this policy, the member will be removed from the list.

More details of how vulnerabilities are handled can be found in our Security Incident Management documentation.

I accept the terms of the Zephyr Embargo Policy as an authorized agent of my organization and confirm that recipients on the Security Email Mailing Alias indicated are need-to-know members of my organization. I agree to be contacted using the provided contact information.*