If you discover a security vulnerability in Aspect Code, please report it responsibly.

Do not open a public issue. Instead, email security@aspectcode.com with:

• A description of the vulnerability
• Steps to reproduce
• The impact you've assessed

We will acknowledge receipt within 48 hours and provide a timeline for a fix.

This policy covers:

• The aspectcode npm package and its bundled dependencies
• The CLI's authentication and credential storage
• The LLM proxy communication protocol

Out of scope:

• The web app at aspectcode.com (report separately to the same email)
• Third-party dependencies (report to their maintainers)