If you discover a security vulnerability in the ASP samples — whether in server code, agent logic, or dependencies — please report it responsibly.
Do not open a public GitHub issue for security vulnerabilities.
Instead, email: secops@prosus.com
Include:
- A description of the vulnerability
- Steps to reproduce or a proof-of-concept
- The affected domain and component (server, agent, database, etc.)
- Any potential impact you've identified
| Step | Timeline |
|---|---|
| Acknowledgement of your report | Within 3 business days |
| Initial assessment and severity triage | Within 7 business days |
| Fix development and review | Depends on severity |
| Public disclosure (coordinated with reporter) | After fix is released |
The samples in this repository are reference implementations intended for local development and demonstration. They are not designed for production deployment. In particular:
- SQLite databases are created locally and are not hardened
- No authentication or rate limiting is applied to API endpoints
- The OpenAI API key is stored in a local
.envfile
Security reports about production-readiness concerns in the sample code are appreciated but may be addressed as documentation improvements rather than code fixes.
This policy covers:
- Server-side code in all domain implementations
- Client agent code and tool definitions
- Dependencies declared in
pyproject.toml - Any secrets or credentials accidentally committed
We're happy to credit reporters in our CHANGELOG and release notes (unless you prefer to remain anonymous).