This policy covers the zpe-touch package, the native extension build surface, and
the proof and validation artifacts committed in this repository.
Security issues include:
- code execution, privilege escalation, or data exfiltration through package or build paths
- secrets or credentials committed to the repository
- supply-chain or release-metadata integrity issues
Non-security issues include documentation disputes, benchmark losses, and bounded-scope claim disagreements that do not create a security impact.
Do not open a public issue for a security vulnerability.
Report privately to architects@zer0pa.ai with:
- the affected component, file, or command
- reproduction steps or a proof of concept
- impact and severity
- any suggested mitigation if available
Public issues remain appropriate for non-sensitive bugs, documentation fixes, and evidence disputes that do not expose a security concern.
| Stage | Target |
|---|---|
| Acknowledgement | within 5 business days |
| Initial triage | within 10 business days |
| Remediation plan or coordinated disclosure timeline | post-triage |