Only the latest release receives security fixes.
| Version | Supported |
|---|---|
| 0.3.x | ✅ |
| < 0.3 | ❌ |
Please do not open a public GitHub issue for security vulnerabilities.
Email: [email protected]
Response time: within 72 hours
Include in your report:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if any)
Things we care about most:
- API token exposure or leakage (stored in
~/.zt-config.json) - Privilege escalation via systemd service or cloudflared config
- Unintended public exposure of tunnels (bypass of Zero Trust policy)
- Supply chain issues in CI/CD (GitHub Actions, dependencies)
- Cloudflare platform vulnerabilities — report those to Cloudflare directly
- Issues in
cloudflareditself — report to cloudflare/cloudflared
- Credentials are stored at
~/.zt-config.jsonwith mode0600 - Tunnel credentials are stored at
~/.zt/tunnels/<name>/<id>.jsonwith mode0600 - cfzt never transmits credentials anywhere except the Cloudflare API over HTTPS
- The Gitleaks CI scan checks all commits for accidentally leaked secrets