If you believe you've found a security vulnerability in .github,
please do not open a public GitHub issue.
Instead, report it privately to security@zerverless.com with:
- A description of the vulnerability and its potential impact.
- Steps to reproduce, or a proof-of-concept if available.
- The version/commit you tested against.
You can expect an acknowledgment within 2 business days, and a status update at least every 5 business days until the issue is resolved or triaged as out of scope.
We follow a coordinated disclosure process: once a fix is available and released, we will credit the reporter (unless anonymity is requested) in the release notes / CHANGELOG. We ask that you give us a reasonable window to ship a fix before any public disclosure.
We consider security research conducted in good faith, consistent with this policy, to be authorized. We will not pursue legal action against researchers who follow these guidelines.
This policy covers the code in this repository. For vulnerabilities in the broader Zerverless platform or hosted services, please also report to security@zerverless.com — we will route internally as needed.