Skip to main content

Security Advisories

Information about security vulnerabilities, our disclosure process, and how to report issues responsibly.

Current Advisories

No Active Security Advisories

All known vulnerabilities have been addressed. Check back for updates.

Last checked: July 19, 2026

Severity Levels

We classify security vulnerabilities using standard severity levels:

Critical

Remote code execution, data breach risk. Patch immediately.

High

Privilege escalation, significant security bypass. Update urgently.

Medium

Limited impact vulnerabilities. Update at next maintenance window.

Low

Minor issues with limited exploitability. Update when convenient.

Responsible Disclosure Policy

We follow a responsible disclosure process to protect users while giving publishers time to patch vulnerabilities.

90-Day Disclosure Timeline

Publishers have 90 days from notification to release a fix before public disclosure. Critical vulnerabilities may have shorter timelines.

Coordinated Disclosure

We work with publishers to coordinate disclosure timing and ensure fixes are available before public announcement.

Embargo Period

Details are kept confidential during the embargo period. Only affected parties and the reporter have access to vulnerability information.

Reporting Vulnerabilities

How to Report a Security Issue

Email

security@joinasterism.com

For platform vulnerabilities and critical skill issues

PGP Key

Available at /.well-known/security.txt

Use encryption for sensitive vulnerability details

Include in Your Report

  • Skill name and version affected (for skill vulnerabilities)
  • Detailed description of the vulnerability
  • Steps to reproduce the issue
  • Potential impact and attack scenarios
  • Any suggested fixes or mitigations
  • Your contact information for follow-up

For Skill Publishers

If a vulnerability is reported in your skill, here's what to expect:

1

Notification

You'll receive an email with vulnerability details and severity assessment.

2

Embargo Period

You have time to develop and test a fix. Timeline depends on severity (7-90 days).

3

Release Fix

Publish a patched version with a clear changelog noting the security fix.

4

Disclosure

After the fix is released, the advisory is published with credit to the reporter.

Response Time Requirements

  • Critical: Acknowledge within 24 hours, fix within 7 days
  • High: Acknowledge within 48 hours, fix within 30 days
  • Medium/Low: Acknowledge within 7 days, fix within 90 days

Failure to respond may result in temporary skill suspension and verification revocation.

Platform Security Measures

Asterism implements multiple layers of security to protect users:

Automated Scanning

All skills are scanned for known vulnerability patterns before publishing.

Capability System

Skills must declare permissions, making dangerous capabilities visible.

Security Scores

Each skill displays a security score based on automated analysis.

Publisher Verification

Verified publishers are held to higher security standards.

Bug Bounty Program

We offer rewards for responsibly disclosed vulnerabilities in the Asterism platform:

SeverityReward Range
Critical$500 - $2,000
High$200 - $500
Medium$50 - $200
LowRecognition + swag

Note: Bug bounty applies to platform vulnerabilities only, not individual skills. Rewards are at our discretion based on impact, quality of report, and fix complexity.

Past Advisories Archive

No past advisories to display. This page will be updated as vulnerabilities are disclosed and resolved.