Security
Reporting a vulnerability
For a specific released project, see that project’s SECURITY.md (linked from the project’s page).
For something affecting Ardeshir as a whole - infrastructure, governance, or cross-project issues - email:
Artaxshathra@proton.me
We follow coordinated disclosure. Do not report security issues in public.
What we aim for
These are the targets we try to meet for security reports. They are not contractual obligations - we are volunteers and we work in good faith with the time we have. We will tell you if we cannot meet a target on a specific report.
| Step | Target |
|---|---|
| Acknowledge | within 72 hours |
| Severity assigned | within 7 days |
| Fix or mitigation | within 30 days for High/Critical, within 90 days for Medium/Low |
| Public advisory | at the agreed disclosure date |
| Credit you | yes, in your chosen form, unless you decline |
Verifying a released project
For each released project:
- Pull the source at the release tag from the project’s public repository.
- Download the release artifacts and detached signatures.
- Import the project’s release keys (fingerprints listed on the project’s page).
- Verify n-of-m signatures.
If verification fails, do not trust the artifact. Email Artaxshathra@proton.me.
Canary
We publish a signed monthly canary attesting to certain conditions about the collective. Its absence past the grace period is itself information. See Canary.
Standard disclaimers
Software released by the collective is provided “as is”, without warranty of any kind. We are not responsible for how our software is used or for any consequences of its use - see the full disclaimer.
This collective is not a legal entity. Independent volunteers cooperate under documents that are visible to members of the collective.
What you should not do
- Do not exploit a vulnerability beyond the minimum needed to demonstrate it.
- Do not access, modify, or destroy data that is not yours.
- Do not publicly disclose a vulnerability before the agreed date.