Security at Asterism
We take security seriously. Learn about our security practices and how to report vulnerabilities.
Vulnerability Disclosure
Report a Security Vulnerability
If you discover a security vulnerability in Asterism, please report it to us immediately. We appreciate your help in keeping our platform and users safe.
What to Include
- Description of the vulnerability and its potential impact
- Step-by-step instructions to reproduce the issue
- Any proof-of-concept code or screenshots
- Your contact information for follow-up
Our Commitment
24-48 hours
Initial response time
Weekly updates
During investigation
Public credit
If desired
Important
Please do not publicly disclose any vulnerabilities until we have had an opportunity to address them. We aim to resolve critical issues within 7 days.
Security Practices
Infrastructure Security
- • Hosted on Vercel with enterprise-grade security
- • Database hosted on Neon with encryption at rest
- • All connections encrypted with TLS 1.3
- • Regular security audits and penetration testing
Application Security
- • Comprehensive security headers (CSP, HSTS, X-Frame-Options)
- • Rate limiting on all API endpoints
- • Input validation with Zod schemas
- • SQL injection prevention with parameterized queries
- • XSS protection through React's built-in escaping
Skill Security
- • All skills scanned for malicious patterns before publishing
- • Security scoring system (0-100) with minimum threshold
- • Detection of hardcoded secrets and credentials
- • Detection of dangerous shell commands and code execution
- • Capability declarations for required permissions
Authentication & Authorization
- • OAuth 2.0 authentication (GitHub, Google)
- • Secure session management with httpOnly cookies
- • API key authentication for programmatic access
- • Role-based access control for organizations
Data Protection
- • GDPR compliant data handling
- • Data export and deletion capabilities
- • Minimal data collection principle
- • Regular data retention reviews
Scope
In Scope
Platform & Infrastructure
- • joinasterism.com and subdomains
- • api.joinasterism.com
- • astercli, astermcp, asterloader, asterscanner npm packages
- • Official CLI tool
- • MCP server implementation
Skill Security (What We Scan)
- • Hardcoded secrets and credentials
- • Dangerous code execution (eval, shell injection)
- • Destructive file system operations
- • Credential file access (.ssh, .aws, .env)
- • Insecure network patterns
- • Privilege escalation attempts
Out of Scope
General
- • Third-party skills (report to skill authors)
- • Social engineering attacks
- • Denial of service attacks
- • Physical attacks
- • Issues in third-party services
AI-Specific (Not Yet Scanned)
- • Prompt injection attacks
- • Data exfiltration via AI context
- • Jailbreak or bypass techniques
- • Malicious runtime behavior
Help Us Improve AI Security
If you discover AI-specific vulnerabilities like prompt injection or data exfiltration patterns that our scanner should detect, please report them! We're actively working to expand our security scanning to cover AI-specific threats.
security.txt
We follow the security.txt standard. You can find our security.txt file at /.well-known/security.txt
Security Hall of Fame
We recognize and thank the following security researchers for responsibly disclosing vulnerabilities:
No submissions yet. Be the first!
Contact
For security-related inquiries, please contact:
- Security Team: security@joinasterism.com
- PGP Key: Coming soon