Skip to content

Security: zakhar-git/OSINT-Toolkit

Security

SECURITY.md

Security policy

Previous: Contributing · Next: Code of Conduct · Back to README

Table of contents

Supported versions

Security and safety corrections are applied to the default branch. Historical tags and forks are not supported unless a release note says otherwise.

Report privately

Use GitHub's Report a vulnerability function in the repository Security tab. If private vulnerability reporting is unavailable, open a public issue containing only a request for a private contact channel. Do not include the vulnerability, exploit, credentials, personal data, or affected source in that issue.

What to include

  • affected file, workflow, or documented process;
  • impact on users, sources, or evidence integrity;
  • minimal reproduction using synthetic data;
  • suggested mitigation, if known;
  • whether any third party has already been notified.

Response process

Maintainers will acknowledge a complete report within seven days, assess severity and scope, coordinate a correction, and credit the reporter if requested and safe. Timelines depend on whether a third-party tool or platform must act first.

Out of scope

  • vulnerabilities in third-party tools merely linked by this repository;
  • reports generated entirely by automated scanners without demonstrated impact;
  • social engineering, denial of service, or testing against contributor accounts;
  • requests to disclose private case data or security contacts;
  • claims that a public link is unsafe without a reproducible basis.

Report third-party vulnerabilities to the upstream project's security channel. Tell this project privately when a listed tool creates a material risk so the entry can be warned, reclassified, or removed.

Safe harbor

Good-faith research must remain within this policy, avoid privacy violations and service disruption, use the minimum data necessary, and stop when unexpected sensitive data appears. This policy does not grant authorization to test third-party systems.


Previous: Contributing · Next: Code of Conduct · Back to README

There aren't any published security advisories