This is a copy of the security policy in the core Ash repo. That is the authoritative source.

This repository follows the OpenSSF Vulnerability Disclosure guide. You can learn more about it in the Finders Guide.

Please report vulnerabilities via the GitHub Security Vulnerability Reporting or via email to security@ash-hq.org if this does not work for you.

Someone from the core team respond within 3 working days of your report. If the issue is confirmed as a vulnerability, we will open a Security Advisory. This project follows a 90 day disclosure timeline.

If you have questions about reporting security issues, email the vulnerability management team: security@erlef.org