Skip to main content

Security at Asterism

We take security seriously. Learn about our security practices and how to report vulnerabilities.

Vulnerability Disclosure

Report a Security Vulnerability

If you discover a security vulnerability in Asterism, please report it to us immediately. We appreciate your help in keeping our platform and users safe.

What to Include

  • Description of the vulnerability and its potential impact
  • Step-by-step instructions to reproduce the issue
  • Any proof-of-concept code or screenshots
  • Your contact information for follow-up

Our Commitment

24-48 hours

Initial response time

Weekly updates

During investigation

Public credit

If desired

Important

Please do not publicly disclose any vulnerabilities until we have had an opportunity to address them. We aim to resolve critical issues within 7 days.

Security Practices

Infrastructure Security

  • • Hosted on Vercel with enterprise-grade security
  • • Database hosted on Neon with encryption at rest
  • • All connections encrypted with TLS 1.3
  • • Regular security audits and penetration testing

Application Security

  • • Comprehensive security headers (CSP, HSTS, X-Frame-Options)
  • • Rate limiting on all API endpoints
  • • Input validation with Zod schemas
  • • SQL injection prevention with parameterized queries
  • • XSS protection through React's built-in escaping

Skill Security

  • • All skills scanned for malicious patterns before publishing
  • • Security scoring system (0-100) with minimum threshold
  • • Detection of hardcoded secrets and credentials
  • • Detection of dangerous shell commands and code execution
  • • Capability declarations for required permissions

Authentication & Authorization

  • • OAuth 2.0 authentication (GitHub, Google)
  • • Secure session management with httpOnly cookies
  • • API key authentication for programmatic access
  • • Role-based access control for organizations

Data Protection

  • • GDPR compliant data handling
  • • Data export and deletion capabilities
  • • Minimal data collection principle
  • • Regular data retention reviews

Scope

In Scope

Platform & Infrastructure

  • • joinasterism.com and subdomains
  • • api.joinasterism.com
  • • astercli, astermcp, asterloader, asterscanner npm packages
  • • Official CLI tool
  • • MCP server implementation

Skill Security (What We Scan)

  • • Hardcoded secrets and credentials
  • • Dangerous code execution (eval, shell injection)
  • • Destructive file system operations
  • • Credential file access (.ssh, .aws, .env)
  • • Insecure network patterns
  • • Privilege escalation attempts

Out of Scope

General

  • • Third-party skills (report to skill authors)
  • • Social engineering attacks
  • • Denial of service attacks
  • • Physical attacks
  • • Issues in third-party services

AI-Specific (Not Yet Scanned)

  • • Prompt injection attacks
  • • Data exfiltration via AI context
  • • Jailbreak or bypass techniques
  • • Malicious runtime behavior

Help Us Improve AI Security

If you discover AI-specific vulnerabilities like prompt injection or data exfiltration patterns that our scanner should detect, please report them! We're actively working to expand our security scanning to cover AI-specific threats.

security.txt

We follow the security.txt standard. You can find our security.txt file at /.well-known/security.txt

Security Hall of Fame

We recognize and thank the following security researchers for responsibly disclosing vulnerabilities:

No submissions yet. Be the first!

Contact

For security-related inquiries, please contact: