We take the security of Zensical seriously. If you believe you have found a security vulnerability in Zensical, we encourage you to report it to us responsibly.
Please do not report security vulnerabilities through public GitHub issues, pull requests, or discussions.
Instead, please send a report to hello@zensical.org with the following information:
- A description of the vulnerability and its potential impact.
- The steps required to reproduce the issue.
- Any relevant files, screenshots, or proof-of-concept code.
- Your name and contact information, if you would like to be credited.
We are committed to working with security researchers and our community to address vulnerabilities quickly and transparently. When you submit a report, you can expect the following:
- Acknowledgement within 3 business days of your report.
- Regular updates on our progress as we investigate and address the issue.
- Confidentiality – we will not share your personal information without your permission, and we ask that you keep the vulnerability confidential until we have had the opportunity to address it.
- Credit – we are happy to acknowledge your contribution once the vulnerability has been resolved, if you would like.
We release security fixes for the latest stable version of Zensical. We encourage all users to stay up to date with the latest release to ensure they benefit from all security patches.
This policy applies to vulnerabilities in the Zensical codebase. If you discover a vulnerability in a third-party dependency, please report it to the maintainers of that project directly.
We take dependency security seriously. We are deliberate in our selection of third-party dependencies, and we actively monitor and update them to ensure Zensical remains on the latest stable versions. If you believe a dependency we use poses a security risk, feel free to bring it to our attention at hello@zensical.org.