Security Advisories
Information about security vulnerabilities, our disclosure process, and how to report issues responsibly.
Current Advisories
No Active Security Advisories
All known vulnerabilities have been addressed. Check back for updates.
Last checked: July 19, 2026
Severity Levels
We classify security vulnerabilities using standard severity levels:
Remote code execution, data breach risk. Patch immediately.
Privilege escalation, significant security bypass. Update urgently.
Limited impact vulnerabilities. Update at next maintenance window.
Minor issues with limited exploitability. Update when convenient.
Responsible Disclosure Policy
We follow a responsible disclosure process to protect users while giving publishers time to patch vulnerabilities.
90-Day Disclosure Timeline
Publishers have 90 days from notification to release a fix before public disclosure. Critical vulnerabilities may have shorter timelines.
Coordinated Disclosure
We work with publishers to coordinate disclosure timing and ensure fixes are available before public announcement.
Embargo Period
Details are kept confidential during the embargo period. Only affected parties and the reporter have access to vulnerability information.
Reporting Vulnerabilities
How to Report a Security Issue
security@joinasterism.com
For platform vulnerabilities and critical skill issues
Include in Your Report
- Skill name and version affected (for skill vulnerabilities)
- Detailed description of the vulnerability
- Steps to reproduce the issue
- Potential impact and attack scenarios
- Any suggested fixes or mitigations
- Your contact information for follow-up
For Skill Publishers
If a vulnerability is reported in your skill, here's what to expect:
Notification
You'll receive an email with vulnerability details and severity assessment.
Embargo Period
You have time to develop and test a fix. Timeline depends on severity (7-90 days).
Release Fix
Publish a patched version with a clear changelog noting the security fix.
Disclosure
After the fix is released, the advisory is published with credit to the reporter.
Response Time Requirements
- Critical: Acknowledge within 24 hours, fix within 7 days
- High: Acknowledge within 48 hours, fix within 30 days
- Medium/Low: Acknowledge within 7 days, fix within 90 days
Failure to respond may result in temporary skill suspension and verification revocation.
Platform Security Measures
Asterism implements multiple layers of security to protect users:
Automated Scanning
All skills are scanned for known vulnerability patterns before publishing.
Capability System
Skills must declare permissions, making dangerous capabilities visible.
Security Scores
Each skill displays a security score based on automated analysis.
Publisher Verification
Verified publishers are held to higher security standards.
Bug Bounty Program
We offer rewards for responsibly disclosed vulnerabilities in the Asterism platform:
| Severity | Reward Range |
|---|---|
| Critical | $500 - $2,000 |
| High | $200 - $500 |
| Medium | $50 - $200 |
| Low | Recognition + swag |
Note: Bug bounty applies to platform vulnerabilities only, not individual skills. Rewards are at our discretion based on impact, quality of report, and fix complexity.
Past Advisories Archive
No past advisories to display. This page will be updated as vulnerabilities are disclosed and resolved.