The zircote organization takes security seriously. We appreciate responsible disclosure of security vulnerabilities.
Email: security@zircote.com
Please include:
- Type of vulnerability
- Location of affected source code (file path, tag/branch/commit)
- Steps to reproduce
- Proof-of-concept if available
- Potential impact assessment
- Acknowledgment: Within 48 hours
- Assessment: Validity and severity determination within 7 days
- Resolution: Fix development and coordinated disclosure
- Credit: Recognition in release notes (with permission)
In Scope:
- Source code in zircote repositories
- Configuration and infrastructure code
- Authentication and authorization
- Data handling and API endpoints
Out of Scope:
- Social engineering
- Physical security
- Denial of service
- Third-party services
- Already reported issues
- Allow 90 days for remediation before public disclosure
- Coordinate disclosure timing
- Security advisories via GitHub Security Advisories
Security research conducted under this policy is:
- Authorized under applicable laws
- Protected from legal action for good-faith violations
- Valued as contribution to security
Please:
- Avoid privacy violations and data destruction
- Only test accounts you own or have permission for
- Stop and report immediately upon encountering sensitive data
- Latest major version
- Previous major version (6 months after new major release)
See individual repositories for specific policies.
- Never commit secrets or credentials
- Use environment variables for sensitive data
- Follow least privilege principles
- Keep dependencies updated
- Validate all user inputs
- Use parameterized queries