ZTAP takes security seriously. If you believe you have found a security vulnerability, please report it responsibly.

Preferred: report privately via GitHub Security Advisories:

• Security tab -> Advisories -> Report a vulnerability
• Direct link: ../../security/advisories/new

Please do not open a public GitHub issue for security reports.

Include as much of the following as you can:

• Affected version/commit (and whether you are on a release or main)
• Impact (what an attacker can do)
• Reproduction steps / proof of concept
• Any relevant logs, configuration, and environment details (OS, Go version)

Security fixes are provided for:

• The latest tagged release
• The main branch

Older releases are not guaranteed to receive security patches.

If the project has not published a release yet, only main is considered supported.

• We aim to acknowledge receipt within 72 hours.
• We will triage, reproduce, and work on a fix.
• When a fix is ready, we will coordinate a release and publish an advisory.

Thank you for helping keep ZTAP and its users safe.