Please do NOT open public issues for security vulnerabilities.

To report a security vulnerability, please email: hello@zvectorlabs.com

Include:

• Description of the vulnerability
• Steps to reproduce
• Potential impact
• Suggested fix (if any)

We will respond within 48 hours and provide updates on the resolution timeline.

• Never commit API keys or secrets to the repository
• Always use environment variables or config files (gitignored) for credentials
• Keep dependencies up to date: cargo audit

• Status: No fix available (transitive dependency via sqlx-mysql)
• Impact: ZDK does not directly use MySQL; vulnerability is in TLS key exchange
• Mitigation: PostgreSQL and SQLite are primary database options
• Tracking: Waiting for sqlx to update rsa dependency

• fxhash (via scraper): Warning only, no security impact
• paste (via rmcp): Compile-time macro only, no runtime risk

Run cargo audit regularly to check for updates.