If you believe you have found a security issue in any Ambisphere repository:
- Do not open a public issue. Even at concept stage, public disclosure complicates coordinated fixes.
- Open a GitHub private security advisory on the relevant repository. This is the preferred channel.
- If you cannot use GitHub advisories, contact the org owner directly via the email listed on the organization profile.
Include in your report:
- The repository and the specific file, function, or behavior involved.
- A minimal reproduction or proof-of-concept.
- The impact you observed.
- Any suggested mitigation.
This policy applies to every public repository under the ambisphere organization.
At concept stage, most code is exploratory and not deployed anywhere — the realistic security surface is limited to local-daemon design, supply-chain considerations (dependencies in any code that lands), and credential or token handling in tooling. We still want to hear about issues; "this is exploratory" is not a reason to dismiss a real concern.
We will acknowledge a report within five business days. Resolution timelines depend on severity and the maturity of the affected component. Reporters will be credited in the fix unless they ask to remain anonymous.
- Vulnerabilities in third-party dependencies that have not been pinned or imported into this org's code.
- Theoretical risks without a concrete reproduction.
- Social-engineering attacks that do not involve a technical flaw in our code or infrastructure.
Ambisphere does not currently offer monetary rewards for security reports. We do offer credit, gratitude, and a fix.