Do not open a public issue for a security vulnerability.
Report security issues privately to:
architects@zer0pa.ai
What counts as a security issue:
- committed secrets or tokens
- supply-chain or dependency compromise
- arbitrary code execution or privilege escalation paths
- unsafe workflow or bootstrap behaviour that can expose credentials or local files
What does not count:
- normal correctness failures
- falsification findings
- performance shortfalls
- stale proof claims
Those belong in the normal repo workflow.
Supported versions: the currently-installable zpe-video package on
the main branch (package version 0.1.0). The always-in-beta cadence
means the next minor release may ship at any time; security fixes target
the main branch and the latest tagged release.
Current security posture:
- the security contact is live
- the public code surface (
src/zpe_video/receipt.py, tests, docs-facing examples) is zero-dependency pure stdlib for the core receipt module; optional extras (producer,research) pull in numpy / torch / ultralytics and inherit their upstream security surfaces - repo-local secret scans are run before each signed release tag
If you find a vulnerability, email architects@zer0pa.ai. Do not open a
public issue for a security report, and do not file a CVE before we
respond. We will acknowledge within five business days.