# Security Policy

[![OpenSSF Vulnerability Disclosure](https://img.shields.io/badge/OpenSSF-Vulnerability_Disclosure-green)](https://github.com/ossf/oss-vulnerability-guide/blob/main/finder-guide.md)
[![GitHub Report](https://img.shields.io/badge/GitHub-Security_Advisories-blue)](https://github.com/ash-project/ash/security/advisories/new)
[![Email Report](https://img.shields.io/badge/Email-security%40ash--hq.org-blue)](mailto:security@ash-hq.org)

This repository follows the [OpenSSF Vulnerability Disclosure guide](https://github.com/ossf/oss-vulnerability-guide/tree/main). You can learn more about it in the [Finders Guide](https://github.com/ossf/oss-vulnerability-guide/blob/main/finder-guide.md).

Please report vulnerabilities via the [GitHub Security Vulnerability Reporting](https://github.com/ash-project/ash/security/advisories/new)
or via email to [`security@ash-hq.org`](mailto:security@ash-hq.org) if this does not work for you.

Someone from the core team respond within 3 working days of your
report. If the issue is confirmed as a vulnerability, we will open a Security
Advisory. This project follows a 90 day disclosure timeline.

If you have questions about reporting security issues, email the vulnerability
management team: [`security@erlef.org`](mailto:security@erlef.org)