Do not open a public issue for security vulnerabilities.

Instead, please email aisprkl@gmail.com with:

1. A description of the vulnerability
2. Steps to reproduce
3. Potential impact assessment
4. Any suggested fixes (optional)

• Acknowledgment: Within 48 hours
• Initial assessment: Within 7 days
• Fix timeline: Within 90 days of confirmed report
• Public disclosure: After fix is released, coordinated with reporter

• Authentication or authorization bypass
• Remote code execution
• SQL injection or other injection attacks
• Credential exposure or leakage
• Cross-site scripting (XSS) in the web frontend
• Privilege escalation
• Denial of service via crafted input

• Bugs that do not have a security impact
• Feature requests
• Issues requiring physical access to the machine
• Social engineering attacks
• Vulnerabilities in dependencies that are already patched upstream

• Always set gateway_auth_token in production deployments
• Use environment variables (ZENII_TOKEN) instead of command-line arguments for secrets
• Run the daemon as a non-root user
• Use a reverse proxy with TLS for remote access
• Keep dependencies updated (cargo audit, Dependabot)