This policy covers the zenzic-doc documentation portal — the Docusaurus-based site hosted at zenzic.dev.

For vulnerabilities in the Zenzic engine (Python, Shield scanner, path-traversal protection), see the core security policy.

Please do not open a public GitHub issue for security vulnerabilities.

Report privately via:

• GitHub Security Advisories (preferred): github.com/PythonWoods/zenzic-doc/security/advisories
• Email: dev@pythonwoods.dev — subject line: [SECURITY] zenzic-doc — <brief description>

Include a clear description of the vulnerability, steps to reproduce, potential impact, and a suggested fix if available.

We will acknowledge your report within 72 hours and aim to release a patch within 14 days of confirming the issue.

Out-of-scope: content errors, broken links (reported as standard issues), cosmetic rendering bugs, or issues that only affect local dev mode (npm run start).

npm dependencies are audited automatically:

• npm-audit.yml runs on every PR, push to main, and weekly — flags high-severity CVEs.
• dependency-review.yml flags risky dependency changes introduced by PRs.

To audit locally:

npm audit --audit-level=high

The documentation portal is a static site — no server-side code executes at runtime. The attack surface is limited to:

• Build pipeline — npm run build executes Node.js. Crafted MDX could theoretically

  exploit a Docusaurus or remark plugin vulnerability. Keep dependencies up to date.

• Pre-commit hooks — the Zenzic Sentinel scans all source files for credential patterns

  before every commit. The Shield (exit code 2 on Z201) is the last line of defence before content reaches the public site.

• Static assets — binary files committed to static/ bypass text-based scanning.

  The check-added-large-files hook limits accidental binary commits.