If you've found a security vulnerability in Zammad, please report the vulnerability exclusively via email to [email protected].

We will get back to you as soon as possible and inform you about the next steps. Accepted vulnerabilities will be disclosed via patch level release with accompanying security advisory.

Every first reporter of a vulnerability may be credited in the related security advisory.

Zammad does not offer financial compensation through a security bounty program.