This policy covers the public ZPE-Robotics repository, the published zpe-robotics package, and the committed proof artifacts that ship with the repo.

Please report:

• vulnerabilities that expose private data, credentials, or package-integrity risk
• issues that allow unsafe code execution or artifact tampering
• security-impacting flaws in the public package or documented operator path

Please do not use public issues for security reports.

Report security issues to architects@zer0pa.ai.

Include:

• the affected version or commit SHA
• exact reproduction steps
• the files, commands, or artifacts involved
• any proof-of-concept material needed to reproduce safely

We will handle reports privately until triage is complete.

• Acknowledgement target: 5 business days
• Initial triage target: 10 business days
• Post-triage: remediation timing is communicated after severity and reproduction are confirmed