Security support covers the current main branch, the latest published zpe-prosody package, and the repo-local proof and validation surfaces that ship with this repository.
Out of scope:
- Modified forks or downstream packages not distributed by Zer0pa.
- External corpora, model weights, scratch runtimes, or RunPod environments not committed to this repository.
- Claims that require changing the Zer0pa Source-Available License terms.
Report security issues privately to architects@zer0pa.ai.
Include:
- affected version, commit, or artifact path;
- steps to reproduce;
- expected impact;
- any proof-of-concept material needed for triage.
Do not open a public issue for exploitable behavior before triage.
- Acknowledgement: within 5 business days.
- Initial triage: within 10 business days after acknowledgement.
- Fix or mitigation plan: after triage, based on severity and reproducibility.
Security fixes may ship as source changes, documentation changes, proof-surface corrections, or release-process changes depending on the issue.