Security is the core mission of ASH.
ASH is a security-focused library designed to protect applications from request tampering, replay attacks, and data manipulation. We take all security issues seriously and respond quickly.
If you discover a security vulnerability or potential exploit:
❌ DO NOT open a public issue
❌ DO NOT disclose it publicly
Please report it privately to:
Include:
- Description of the issue
- Steps to reproduce
- Proof of concept (if available)
- Affected versions
- Potential impact
We aim to:
- Acknowledge within 48 hours
- Investigate promptly
- Provide fixes as quickly as possible
- Coordinate responsible disclosure
Critical vulnerabilities are prioritized immediately.
We follow responsible disclosure practices:
- Issue is reported privately
- We validate and patch
- Security release is prepared
- Public advisory is published
- Credit is given to the reporter (optional)
We appreciate ethical security research.
Security patches are provided for:
- Latest major version
- Latest minor versions only
Older versions may not receive fixes.
Please upgrade regularly.
When using ASH:
- Always use HTTPS
- Keep dependencies updated
- Do not expose secrets in client-side code
- Rotate keys regularly
- Use latest version
ASH improves security, but correct configuration is essential.
Security is a shared responsibility.
Thank you for helping keep the ecosystem safe.