If you discover a security vulnerability in the ARS specification or its reference implementations, please do NOT open a public issue.
Instead, send a description to the project maintainers. We will acknowledge receipt within 48 hours and provide a timeline for resolution.
This security policy covers:
- The ARS Bootstrap Specification (Ch1–Ch9)
- The reference implementation (
implementations/python/) - Documented contracts and invariants
Vulnerabilities in:
- Downstream projects using the Python reference implementation
- Third-party dependencies
- Agent platforms (runtimes (Python Reference Implementation, Codex CLI), etc.)