If you discover a security vulnerability in Zano, please do not open a public GitHub issue. Instead, report it privately so it can be triaged and patched before details become public.

Preferred channel: GitHub private vulnerability reporting

Or by email: zaynhaodev@gmail.com — please include [zano security] in the subject so it doesn't get lost.

When reporting, please include:

• A clear description of the vulnerability and its impact
• Steps to reproduce (proof-of-concept code is helpful but not required)
• The affected component (apps/web, apps/bridge, packages/cli, etc.) and version/commit
• Any suggested mitigation, if you have one

• I aim to acknowledge reports within 72 hours.
• For valid issues, I'll work on a fix and coordinate disclosure with you.
• Zano is a small project maintained in personal time, so timelines for fixes will vary by severity. Critical issues take priority.
• I'll credit you in the security advisory unless you'd rather stay anonymous.

In-scope:

• The Zano web application (apps/web)
• The Zano bridge published as @fehey/zano-bridge on npm
• The @fehey/zano-cli package
• Database schema, RLS policies, and triggers in packages/db

Out of scope:

• Vulnerabilities in third-party dependencies (please report those upstream — though feel free to ping me too if Zano needs a version bump)
• Issues in the hosted infrastructure at zano.fehey.com that are not caused by application code (e.g. Supabase platform issues)
• Social-engineering attacks, physical attacks, or anything requiring access to a victim's already-unlocked device

If you're running Zano on your own infrastructure:

• Rotate the Supabase service role key if it ever lands in a place it shouldn't (logs, error reports, screenshots).
• Keep RLS policies reviewed when you change the schema — Zano relies on Supabase RLS to enforce channel/server isolation.
• The bridge runs Claude Code with your local credentials. Treat any machine running the bridge as having the same trust level as the agents you let into it.
• Pin the bridge to a specific version in production (npx @fehey/zano-bridge@x.y.z) rather than tracking latest.