We take security seriously. Please report vulnerabilities privately so we can fix them before disclosure.
Use GitHub's private vulnerability reporting: https://github.com/highflame-ai/zeroid/security/advisories/new
This routes the report to repository administrators only. Do not file a public issue for any vulnerability that has an exploit path — the issues tracker is public and indexed by search engines.
If you cannot use the GitHub form, email support@highflame.com with:
- A description of the issue
- Steps to reproduce
- Affected versions
- Your name + contact for credit (optional)
- A suggested fix or mitigation if you have one
In scope:
- Auth bypass, IDOR, tenant-isolation violations
- Token forgery, signature confusion, algorithm confusion
- Privilege escalation, scope-ceiling bypasses
- SSRF, SQLi, command injection
- Secret exposure (logs, errors, telemetry)
- DoS that's amplifiable beyond a single client
Out of scope (please file public issues for these):
- Documentation typos
- Feature requests
- Performance issues that aren't security-amplifiable
- Self-DoS (e.g. "if I generate a 10GB JWT, the server slows down")
Security fixes ship to:
main(always)- The most recent tagged release (when versioned releases exist)
- Initial acknowledgement: within 2 business days
- Triage decision (in scope / out of scope / severity): within 5 business days
- Fix targeted: within 30 days for critical/high; 90 days for medium; best-effort for low
- Public disclosure (CVE): after a fix is available and customers have had reasonable time to update
- Reporter files a private report
- Highflame triages, drafts a GitHub Security Advisory
- Fix is developed in a temporary private fork (linked off the advisory)
- Once the fix lands on
mainand a release tag exists, the advisory is published as a CVE - Reporter is credited (with permission)
We thank everyone who has reported issues responsibly. Confirmed reporters who opt in are listed in the published advisory and our release notes.