If you discover a security vulnerability in ZeroClickBoards, please report it privately so we can address it before public disclosure.
Do not open a public GitHub issue for security vulnerabilities.
Send a report to the maintainer via email (find contact via the GitHub profile).
Please include:
- A description of the vulnerability
- Steps to reproduce
- Potential impact (who is affected, what data is at risk)
- Any suggested mitigation
- Acknowledgement within 3 business days
- Initial assessment within 7 days
- Fix or mitigation plan communicated as soon as feasible based on severity
- Credit in the release notes once a fix ships, if you'd like
The following are in scope:
- The main application at board.zeroclickdev.ai
- Code in this repository (frontend +
/apiserverless functions) - Supabase schema, RLS policies, and database access patterns
Out of scope:
- Denial-of-service attacks against the hosted service
- Social engineering of maintainers or users
- Vulnerabilities in third-party services (Supabase, Vercel, Stripe) — report those upstream
Only the main branch is actively supported. Please ensure your report reproduces against the latest main.
We will not pursue legal action against researchers who:
- Make a good-faith effort to avoid privacy violations, data destruction, and service disruption
- Report the vulnerability privately and give us reasonable time to respond
- Do not exploit the vulnerability beyond what is necessary to demonstrate it
Thank you for helping keep ZeroClickBoards and its users safe.