# Security Policy The ASK design system is itself a security artifact: the four compliance patterns and the implicit-RBAC rule are what make the product safe to use. A regression here is a security incident. ## Reporting a vulnerability **Do not open a public issue.** Email **[security@mir-ai.it](mailto:security@mir-ai.it)** (CC: matteo.rizzo@mir-ai.it) with: - A short description of the issue. - Steps to reproduce or the affected file / token / pattern. - Impact you anticipate (data leak, RBAC bypass, audit-trail gap, etc.). You can expect: - An acknowledgement within **2 working days**. - A triage assessment within **5 working days**. - A coordinated disclosure timeline if the issue is confirmed. ## In-scope concerns This repository's security surface is narrow but real: | Concern | Why it matters | |---|---| | Compliance pattern regression | Patterns A–D are mandatory. A "softened" version that ships defeats the purpose. | | Implicit-RBAC violation | Tokens or component variants that suggest "disabled" state for unauthorized actions are forbidden — they leak the access model. | | HITL bypass | Any single-click submit on an external-write action is a vulnerability. | | Citation drift | Components that render agent output without an inline citation slot violate Pattern A. | | Token tampering | Out-of-band edits to derived artifacts (skipping `tokens.json`) that change the brand without changelog. | | Leaked credentials | Tokens Studio PATs, Chromatic project keys, or Figma sync secrets committed to history. | ## Out of scope - Aesthetic preferences that don't affect compliance — file a normal issue. - Third-party Figma plugin behavior — report to the plugin vendor. - Browser-specific font-rendering quirks — file a bug. ## Hard rules - **No production secrets in this repository.** Tokens Studio PATs and Chromatic keys live in GitHub Actions secrets, not in code. - **No customer data, ever.** Screenshots used in examples must be synthetic or scrubbed. - **Branch protection on `main`** enforces signed commits and CODEOWNERS review for `compliance/*`, `design-tokens/**`, and `.github/workflows/**`. Thank you for keeping ASK trustworthy.