Report a Security Vulnerability
If you believe you have discovered a vulnerability in an Aspect product please report it.
Responsible Disclosure Policy
Safety and data security is of utmost priority for Aspect. If you are a security researcher and have discovered a security vulnerability in our code base, we appreciate your help in disclosing it to us in a responsible manner.
- Please email security@aspect.build to report any security vulnerabilities found in our community aspect-cli or bazel-lib Aspect Workflows deployments, any of the open source code bases maintained by Aspect, or any of our commercial offerings.
- Please refrain from requesting compensation for reporting vulnerabilities.
- We will acknowledge receipt of your vulnerability report and send you regular updates about our progress.
- If your report is reproducible as an exploit and results in a change to the code base or documentation of a Aspect product, we will–at your option–publicly acknowledge your responsible disclosure.
- After a fix is made, we ask security researchers to wait 30 days after a release before announcing the specific details of a vulnerability, and to provide Aspect with a link to any such announcements. In releases containing security fixes, Aspect announces an update is available, acknowledges the contributions of security researchers, and it withholds specific details until 30 days after availability to give time for the community to apply updates.
You are not allowed to search for vulnerabilities on any deployment of Aspect Workflows hosted by the team, users, or customers with the exception of non-disruptive testing on the community aspect-cli or bazel-lib Aspect Workflows deployments mentioned above.
If you wish to perform testing that may result in disruption of service, please contact us to arrange access to a private staging deployment in order to not disrupt others work in the aspect-cli or bazel-lib Aspect Workflows deployments.
See the Aspect Security Updates page for a list of security updates by release.