ASTAP is under active development. Security fixes are applied to the latest default branch.

Please do not open public issues for security vulnerabilities.

Use GitHub Private Vulnerability Reporting (Security Advisories) for this repository. If unavailable, contact maintainers privately with:

• Summary and impact
• Affected components
• Reproduction steps or proof-of-concept
• Suggested mitigation (if known)

• Initial triage: within 5 business days
• Status update after validation: within 10 business days
• Fix timeline: depends on severity and complexity

After a fix is released, maintainers may publish a coordinated disclosure note with impact and remediation guidance.

In-scope examples:

• Authentication and authorization bypass
• Sensitive data exposure
• Remote code execution paths
• Broken isolation in run/job execution

Out-of-scope examples:

• Best-practice recommendations without exploit path
• Social engineering or physical attacks
• Vulnerabilities only in third-party services outside project control