If you discover a security vulnerability in asobi_lua, please report it
privately so we can fix it before it is publicly disclosed.
Do not open a public GitHub issue for security issues.
Either of these channels work:
- GitHub Security Advisory (preferred): Report privately
- Email: security@asobi.dev
- Acknowledgement within 48 hours
- Initial assessment within 7 days
- Coordinated disclosure timeline agreed with you
- Credit in the security advisory if you want it
| Version | Supported |
|---|---|
| latest stable | ✅ |
| older releases | ❌ — please upgrade |
In scope:
- The
asobi_luaErlang/OTP runtime (this repository) - The Luerl sandbox configuration shipped with this runtime
Out of scope:
- The hosted asobi.dev SaaS — see https://asobi.dev/security
- The
asobilibrary — report to https://github.com/widgrensit/asobi/security - Third-party dependencies (Luerl etc.) — please report upstream
Engineering documentation about the sandbox, trust assumptions, and known limitations is published as part of the project guides:
- Sandbox model — what's stripped, what's replaced, per-callback timeouts, cross-script isolation, atom-table protection.
- Trust model — what asobi_lua treats as trusted vs. untrusted, plus verified negative results from prior audits.
- Known limitations — the resource-exhaustion and rollback gaps that the sandbox does not close, with operator-facing mitigations.