Security
Last updated: June 11, 2026
Reporting a vulnerability
If you believe you have found a security vulnerability in any Zaira Labs service, please report it privately:
- Email: security@zairalabs.ai
- Machine-readable:
/.well-known/security.txt
We aim to acknowledge good-faith reports within 72 hours, provide an initial assessment within a few business days, and prioritize remediation according to severity. Please give us a reasonable opportunity to investigate and remediate before any public disclosure.
Scope
In scope:
- The Zaira Guide website, REST API, and MCP server
- The Zaira Labs marketing website
- Issues affecting the confidentiality, integrity, or availability of Zaira Labs data
Out of scope:
- Findings that depend on browser versions older than 12 months
- Theoretical issues with no demonstrable security impact
- Volumetric denial-of-service against shared infrastructure
- Issues in third-party services that integrate with our APIs (please report those to the third party directly)
Safe harbor
We will not pursue legal action against good-faith security researchers who:
- Comply with this policy
- Avoid privacy violations, data destruction, or service interruption
- Report findings privately and give us reasonable time to respond
- Do not access or modify data beyond what is necessary to demonstrate the issue
We do not currently operate a paid bug bounty. With your consent, we will publicly acknowledge researchers who responsibly report substantive vulnerabilities.