| Version | Supported |
|---|---|
| Latest | Yes |
The Aethelred Foundation takes security seriously. If you discover a security vulnerability in ZeroID, please report it responsibly.
- Do NOT open a public GitHub issue for security vulnerabilities.
- Email security@aethelred.io with:
- A description of the vulnerability
- Steps to reproduce
- Potential impact assessment
- Any suggested fixes (optional)
- Acknowledgment within 48 hours of your report.
- Assessment within 5 business days with an initial severity classification.
- Resolution timeline communicated based on severity:
- Critical: Fix within 24-48 hours
- High: Fix within 7 days
- Medium: Fix within 30 days
- Low: Fix in next scheduled release
This policy applies to:
- The ZeroID frontend application
- The backend API gateway
- Solidity smart contracts
- Circom ZK circuits
- Rust TEE attestation crate
- Go and Python SDKs
- CI/CD infrastructure
We credit reporters in our security advisories (unless anonymity is requested) and maintain a security hall of fame for significant disclosures.
- All dependencies are monitored via Dependabot and
npm audit - CodeQL static analysis runs on every PR
- Smart contracts undergo formal security audits
- ZK circuits are verified with trusted setup ceremonies