Skip to main content

Security

How we protect you, and how to report a vulnerability.

Report a Vulnerability

Responsible Disclosure

If you discover a security vulnerability in ZoarkBot or app.zoarkai.org, please report it privately. Do not publicly disclose it until we have had a chance to address it.

[email protected]

Include in your report: description of the issue, steps to reproduce, potential impact, and your contact information.

We aim to acknowledge reports within 24 hours and provide a resolution timeline within 72 hours.

Security Practices

๐Ÿ”
Authentication
Clerk-powered authentication with MFA support. Sessions are short-lived with secure cookie flags.
๐Ÿ’ณ
Payments
All payments processed by Stripe. We never store card numbers, CVV codes, or bank details.
๐Ÿ 
Self-Hosted by Design
Your automation data, AI conversations, and credentials stay on your machine. We cannot access them.
๐Ÿ”‘
License Validation
Machine IDs are SHA-256 hashed before transmission. The hash is one-way โ€” we cannot reverse it.
๐Ÿ›ก๏ธ
Security Headers
CSP, X-Frame-Options, HSTS, and Referrer-Policy are enforced on all responses.
๐Ÿ”’
HTTPS Only
All traffic is encrypted via TLS. HTTP is redirected to HTTPS automatically.

Security for Self-Hosted Installs

ZoarkBot runs on infrastructure you control. Your security responsibilities:

  • Run ZoarkBot in an isolated container or dedicated VPS โ€” do not install on a machine with sensitive personal data
  • Keep your API keys and OAuth credentials in environment variables, not hardcoded in config files
  • Enable firewall rules โ€” Zero listens on port 65077, Zorro on 59776. Only expose these to trusted IPs
  • Use strong, unique gateway auth tokens โ€” the token printed by zoarkbot start grants full agent access
  • Rotate credentials immediately if you suspect compromise
  • Keep ZoarkBot updated โ€” run zoarkbot update regularly

Scope

In-scope for responsible disclosure:

  • app.zoarkai.org and license.zoarkai.org web services
  • ZoarkBot gateway authentication bypass
  • License validation bypass
  • Injection vulnerabilities in agent tools

Out of scope:

  • Vulnerabilities in third-party services (Clerk, Stripe)
  • Self-inflicted issues from misconfigured user installs
  • Denial-of-service attacks

Bug Bounty

We do not currently run a formal bug bounty program, but we deeply appreciate responsible disclosure and will publicly acknowledge reporters (with permission) in our changelog.