We actively maintain and provide security updates for the following versions:

We take security vulnerabilities seriously. If you discover a security vulnerability in zca-js, please follow these steps:

Security vulnerabilities should be reported privately to prevent potential exploitation.

Send an email to the maintainers with the following information:

• Subject: [SECURITY] zca-js vulnerability report
• Description: Detailed description of the vulnerability
• Steps to reproduce: Clear steps to reproduce the issue
• Impact assessment: Potential impact of the vulnerability
• Suggested fix (if available): Any suggestions for fixing the issue

• Initial response: Within 48 hours
• Status update: Within 1 week
• Resolution: As soon as possible, typically within 30 days

⚠️ This is an unofficial API library that simulates browser interactions with Zalo Web. Please be aware of the following security considerations:

1. Account Risk: Using this API may result in your Zalo account being locked or banned. Use at your own risk.

2. Authentication: The library handles sensitive authentication data. Ensure proper security measures when storing or transmitting this information.

3. Rate Limiting: Respect Zalo's rate limits to avoid triggering security measures.

4. Data Privacy: Be mindful of user privacy and comply with relevant data protection regulations.

1. Environment Variables: Store sensitive configuration in environment variables, not in code
2. HTTPS Only: Always use HTTPS when transmitting data
3. Input Validation: Validate all inputs before processing
4. Error Handling: Implement proper error handling to avoid information disclosure
5. Regular Updates: Keep the library updated to the latest version

• This library is not officially supported by Zalo
• API endpoints and behavior may change without notice
• No guarantee of service availability or stability
• May break with Zalo Web updates

Security updates will be released as patch versions (e.g., 2.0.1, 2.0.2) and will be clearly marked in the changelog.

For security-related issues, please contact:

• GitHub Issues: Create a private issue with the [SECURITY] label
• GitHub Discussions: Use the "Security" category for general security questions
• Team Members:
  • @RFS-ADRENO
  • @truong9c2208
  • @JustKemForFun
• Alternative: Contact any team member through GitHub for urgent security matters

We appreciate security researchers and community members who responsibly disclose vulnerabilities. Contributors will be acknowledged in our security advisories unless they prefer to remain anonymous.

Note: This security policy is subject to change. Please check back regularly for updates.