Security

SECURITY.md

Security Policy

Supported Versions

Security fixes target the latest released version and the main branch.

Reporting a Vulnerability

Do not open a public issue for security vulnerabilities.

Email: security@getzero.dev

Please include:

affected version or commit
reproduction steps
impact
whether credentials, funds, or private data are at risk

Scope

In scope:

secret handling
authentication and authorization
execution safety
paper/live mode isolation
risk gates and kill switches
API security
supply-chain security

Out of scope:

social engineering
denial-of-service without a safety or data-integrity impact
third-party dependency vulnerabilities without a ZERO-specific exploit path

Response Targets

Acknowledge: 48 hours
Critical triage: 7 days
Public advisory: after fix or coordinated disclosure window

There aren't any published security advisories