We take the security of Acrossed and the applications it protects very seriously. Thank you for taking the time to disclose responsibly.
Please do not open a public GitHub issue for security problems.
Instead, email security@acrossed.com with:
- A description of the issue and the impact you believe it has.
- Steps to reproduce, ideally with a minimal proof of concept.
- The affected component (engine, dashboard, sdk-node, sdk-python, sdk-go).
- Your name or handle if you'd like to be credited in the advisory.
We will acknowledge receipt within 2 business days and aim to provide a status update within 5 business days.
If the vulnerability is confirmed we will:
- Issue a fix in a private branch.
- Coordinate a release date with you.
- Credit you in the published GitHub Security Advisory (unless you'd prefer to remain anonymous).
| Version | Supported |
|---|---|
| 1.x | ✅ |
| < 1.0 (preview) | ❌ |
Only the latest minor of the current major receives security fixes.
Researchers who have responsibly disclosed issues to us will be listed here once advisories are published.
- Every release is signed.
- All HTTP traffic between the SDKs and the engine is HMAC-SHA256 signed.
- The engine is stateless and never persists request bodies.
- Production secrets, infrastructure topology, and operational tooling for acrossed.com are intentionally not part of this repository.