Security
Found a security issue?
We take vulnerabilities seriously. The fastest path to a fix is responsible disclosure to security@astru.dev. Encrypt with PGP if the issue is sensitive.
What's in scope
- • Any astru.app subdomain in production
- • The npm package
@astru/cli - • The Docker images shipped under
infrastructure/docker/ - • Anything in github.com/agenticaio/astru
What's NOT in scope
- • Denial-of-service tests against production
- • Social engineering of our team
- • Physical security of our infrastructure vendors
- • Issues in third-party services we depend on (report to them directly)
What you'll get back
- • Acknowledgement within 24 hours
- • Triaged severity within 72 hours
- • Fix shipped + post-mortem within 30 days for high-severity issues
- • Public credit (if you want it) in the post-mortem + /changelog
- • Bounty for confirmed high-severity issues, sized per issue. We're a startup, not Google, so it's a thanks and recognition more than a wage.
PGP
PGP key publishing pending. For the first weeks after launch, plain email to security@astru.dev is acceptable. Don't include exploit code in the first message. Describe the issue and we'll coordinate a secure channel.
How we generated this key (for transparency)
# Generate an Ed25519 + Curve25519 key on an air-gapped machine: gpg --quick-generate-key 'Astru Security <security@astru.dev>' ed25519 cert,sign,auth 5y gpg --quick-add-key <KEY_ID> cv25519 encr 5y # Publish: gpg --export --armor security@astru.dev > pubkey.asc gpg --send-keys --keyserver keys.openpgp.org <KEY_ID> # Set on Vercel: SECURITY_PGP_KEY_ID=0x<short_id> SECURITY_PGP_FINGERPRINT=<full_fingerprint>
Past disclosures + post-mortems
See /changelog filtered to entries tagged security. Every confirmed issue ships with a public post-mortem within 72 hours of fix.