Back to home

Security

Last updated: April 25, 2026

Zarev is still young. We prefer being transparent about the current state rather than selling security we haven't validated through a third party yet.

External audit

An Aikido (or equivalent SAST + DAST + dependency scanning) audit is planned post-Pro launch, as soon as the user base justifies the investment. This page will be updated when the audit is complete.

Informal bug bounty

We don't have a paid bug bounty program yet. If you find a vulnerability, please report it to security@zarev.dev. In exchange: public thanks in the hall of fame below (if you wish), and a free lifetime Pro access.

Responsible disclosure policy

We follow a classic responsible disclosure cycle:

  • Acknowledgment within 72h.
  • Critical fix within 14 days (RCE, auth bypass, data leak).
  • High severity fix within 30 days (XSS, IDOR with limited impact).
  • Public disclosure 90 days after fix, or upon your explicit request.

Active security controls

Technical measures in place today:

  • Gitleaks pre-strip on the CLI side (~150 patterns) before any backend upload.
  • Row Level Security (RLS) on every Supabase table with user data. Service role isolated from user flow.
  • Local audit log on the CLI side (~/.zarev/audit.log) — every scan/brief is traced.
  • All secrets (API keys, tokens) loaded via environment variables only. No secret committed.
  • Sentry active on frontend and backend with strict scrubber on PII (emails, tokens, project_description).
  • TLS 1.3 mandatory for any CLI ↔ backend communication. Invalid certs rejected.

Repo and SECURITY.md

The Zarev backend pipeline (internal name: Pulse) is partially public. The repo's SECURITY.md contains the technical details for reporting a vulnerability: github.com/Arch-s-Technologies/pulse/blob/master/SECURITY.md.

Hall of fame

No one yet. Be the first.