SECURITY

Security Disclosure Policy

ZestSSH is built and maintained by one person — a full-time college student working on this in evenings and weekends. I take security seriously and welcome researchers who help me make the product safer.

Reporting a vulnerability

Email [email protected] with:

  • A description of the issue
  • Steps to reproduce
  • Potential impact
  • Your name or handle (for acknowledgment, if you want credit)

I'll respond within 5 business days to confirm receipt, and follow up within 14 days with a timeline or resolution plan.

Scope

In scope

  • The ZestSSH mobile and desktop apps
  • Juiced infrastructure (sync endpoint, authentication flow, storage model)
  • Automation Engine security (API key handling, command execution, credential isolation)
  • Backup file encryption
  • The zestssh.com website and any supporting infrastructure

Out of scope

  • Social engineering of staff (it's just me)
  • Physical attacks on users' devices
  • Issues requiring root/jailbreak on the victim's device
  • Denial of service attacks
  • Vulnerabilities in third-party dependencies not directly exploitable through ZestSSH
  • Issues in beta/preview features clearly marked as experimental

Safe harbor

I will not pursue legal action against researchers who:

  • Make a good-faith effort to avoid privacy violations, data destruction, or service disruption
  • Only interact with accounts you own or have explicit permission to test
  • Give me reasonable time to investigate and respond before any public disclosure
  • Don't exploit the issue beyond what's necessary to demonstrate impact

I'd rather hear about a problem than read about it on Twitter. If you're not sure whether something counts, ask.

Rewards

I'm not a funded company. I'm a college student building this alone. I can't offer cash bounties, but I genuinely appreciate the help and will offer:

  • ZestSSH Squeezed license — free, forever
  • Juiced upgrade — free, forever
  • Public acknowledgment on this page (your call — some researchers prefer private credit)
  • Direct line to me for future reports

For particularly impactful findings, I'll work out something that reflects the value — just ask.

Disclosure timing

My preferred disclosure window is:

Critical Account takeover, mass data exposure, crypto failures 90 days
High Meaningful but contained impact 60 days
Medium / Low Coordinated with release cycle 30 days

If you need faster disclosure for safety reasons (active exploitation, etc.), tell me and we'll coordinate.

What I commit to

Acknowledge your report within 5 business days
Keep you updated on progress
Credit you publicly (unless you prefer otherwise)
Not threaten or retaliate against good-faith researchers
Fix validated issues as fast as a solo developer reasonably can

Acknowledgments

Thanks to the researchers who've helped improve ZestSSH's security:

This list will grow as reports come in. Be the first!

Last updated: April 2026

Contact: [email protected]