If you discover a security vulnerability in Asobi, please report it privately so we can fix it before it is publicly disclosed.
Do not open a public GitHub issue for security issues.
Either of these channels work:
- GitHub Security Advisory (preferred): Report privately
- Email: security@asobi.dev
- Acknowledgement within 48 hours
- Initial assessment within 7 days
- Coordinated disclosure timeline agreed with you
- Credit in the security advisory if you want it
| Version | Supported |
|---|---|
| latest stable | ✅ |
| older releases | ❌ — please upgrade |
In scope:
- The
asobiErlang/OTP library (this repository) - Bundled client SDKs in this org
Out of scope:
- The hosted asobi.dev SaaS — see https://asobi.dev/security
- Third-party dependencies — please report upstream
We credit security researchers who report responsibly. Past advisories: Security advisories.
Engineering documentation about how the runtime defends itself, and what operators are responsible for, is published as part of the project guides:
- Threat model — what asobi treats as trusted vs. untrusted, the single-node design constraint, BEAM distribution and public-ETS assumptions.
- Authentication & rate limiting — Apple StoreKit 2 JWS verification chain, per-route rate-limit groups, the brute-force surface, and the integration test suite that pins it.
- Known limitations — the resource-exhaustion gaps the runtime does not close (mostly operator-facing), and the rationale for each.