The Zopio team takes security seriously. We appreciate your efforts to responsibly disclose your findings and will make every effort to acknowledge your contributions.

DO NOT open a public issue for security vulnerabilities. Instead, please report them privately through one of these channels:

1. GitHub Security Advisories (Preferred):

   • Go to our Security Advisories
   • Click "Report a vulnerability"
   • Fill out the form with details

2. Email:

   • Send details to: security@zopio.dev
   • Encrypt sensitive information using our PGP key

Please provide as much information as possible:

• Description: Clear description of the vulnerability
• Impact: What can be achieved by exploiting this vulnerability
• Steps to Reproduce: Detailed steps to reproduce the issue
• Affected Versions: Which versions of Zopio are affected
• Proof of Concept: If possible, include code or screenshots
• Suggested Fix: If you have ideas on how to fix it

1. Acknowledgment: We'll acknowledge receipt within 48 hours
2. Communication: We'll keep you informed of our progress
3. Fix Timeline: We aim to fix critical issues within 7 days
4. Credit: We'll credit you in our security acknowledgments (unless you prefer to remain anonymous)
5. Bounty: While we don't have a formal bounty program yet, we may offer rewards for significant findings

• Code Reviews: All code requires review before merging
• Automated Scanning: We use CodeQL and other tools for vulnerability scanning
• Dependency Management: Regular updates via Dependabot
• Secret Scanning: Automated detection of exposed credentials
• Security Headers: Proper security headers in all applications
• Input Validation: Comprehensive input validation and sanitization
• Authentication: Secure authentication via Clerk
• Rate Limiting: Protection against abuse via Arcjet

We provide security updates for:

When contributing to Zopio:

1. Never commit secrets: API keys, passwords, tokens, etc.
2. Validate inputs: Always validate and sanitize user inputs
3. Use parameterized queries: Prevent SQL injection
4. Implement proper authentication: Use our auth system
5. Handle errors gracefully: Don't expose sensitive information
6. Keep dependencies updated: Regularly update packages
7. Follow OWASP guidelines: Implement security best practices

Before submitting a PR, ensure:

• No hardcoded secrets or credentials
• All user inputs are validated
• Authentication is properly implemented
• Authorization checks are in place
• Error messages don't leak sensitive info
• Dependencies are up to date
• Security headers are configured
• Rate limiting is implemented where needed

• We request 90 days to fix issues before public disclosure
• We'll work with you to understand and resolve the issue
• We'll publicly acknowledge your contribution (with permission)
• We support responsible disclosure and will not pursue legal action

• OWASP Top 10
• Node.js Security Best Practices
• Next.js Security
• Prisma Security

We thank the following security researchers for their contributions:

Thank you for helping keep Zopio and its users safe! 🛡️