| Version | Supported |
|---|---|
| 1.x | ✅ |
If you discover a security vulnerability in ZeroBin, please report it responsibly:
- DO NOT open a public GitHub issue
- Use GitHub Security Advisories to report privately
- Or email: security@webpilot.cc
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if any)
- Acknowledgment: Within 48 hours
- Assessment: Within 7 days
- Fix: Within 30 days for critical issues
The following are in scope:
- Server-side vulnerabilities in the Worker code
- Client-side encryption/decryption flaws
- Authentication/authorization bypasses
- Data leakage (encryption key exposure, plaintext leaks)
- Rate limiting bypasses
The following are out of scope:
- Denial of service (Cloudflare handles this)
- Social engineering
- Issues in third-party dependencies (report upstream)
ZeroBin uses a zero-knowledge architecture:
- All encryption/decryption happens client-side (AES-256-GCM)
- The encryption key is in the URL fragment (never sent to the server)
- The server only stores encrypted blobs
- PBKDF2-SHA256 with 100,000 iterations for key derivation
The server cannot decrypt any stored data by design.