Worker safety and privacy are our highest priorities. This toolkit is designed to protect workers, not expose them. We take security vulnerabilities seriously and respond promptly.
This could expose workers to risk or allow exploitation before fixes are deployed.
Email: [TODO: Add your security email here]
Include in your report:
- Description: What is the vulnerability?
- Impact: How could this affect worker safety or privacy?
- Reproduction: Step-by-step instructions to reproduce
- Affected versions: Which versions are vulnerable?
- Suggested fix: If you have ideas (optional)
- Credit preference: How you'd like to be credited (optional)
- Initial Response: Within 48 hours
- Status Update: Within 7 days
- Fix Timeline:
- Critical (worker safety): 24-72 hours
- High severity: 7-14 days
- Medium severity: 30 days
- Low severity: 60 days
- We practice coordinated disclosure
- Vulnerabilities will be disclosed after fixes are deployed
- You will be credited (unless you prefer anonymity)
- We may request embargo period for critical issues
- The MCP server (
osint_server.py) - Tool implementations in
tools/directory - Docker container security
- Configuration handling
- Data privacy leaks
- OPSEC bypass techniques
- Dependencies with known CVEs
- External APIs (report to the API provider)
- Third-party tools (report to tool maintainers)
- Social engineering attacks
- Physical security
- Theoretical vulnerabilities without proof of concept
| Version | Supported | End of Support |
|---|---|---|
| 1.x.x | β Yes | TBD |
| < 1.0 | β No | 2024-XX-XX |
We support the latest major version. Security patches are backported to the previous major version for 6 months after a new major release.
These are intentional aspects of the toolkit:
-
Investigation Traces: All OSINT activities leave traces (IP logs, DNS queries, etc.)
- Mitigation: Use VPN/Tor as documented in OPSEC guides
-
Local Storage: Investigation results stored locally on user's machine
- Mitigation: Users responsible for encrypting their systems
-
API Keys: Some tools require API keys stored in environment variables
- Mitigation: Never commit keys; use Docker secrets
-
Rate Limiting: Not all tools enforce rate limiting
- Status: Planned for v1.1
- Workaround: Manual delays between requests
-
Tor Integration: Not fully implemented
- Status: Planned for v1.2
- Workaround: Use Tor Browser or external Tor proxy
OPSEC Critical:
- Always use VPN for investigations
- Use dedicated devices/browsers
- Clear history after each session
- Never investigate from workplace networks
- Encrypt your investigation results
Configuration:
- Never commit API keys to git
- Use environment variables or Docker secrets
- Review
.gitignorebefore commits - Keep Docker images updated
Privacy Levels:
- Start with "conservative" privacy level
- Understand traces left by each tool
- Read OPSEC warnings before investigations
Code Review:
- Check for hardcoded secrets
- Validate all external input
- Use type hints and validation
- Include OPSEC considerations in tool docs
Dependencies:
- Keep dependencies minimal
- Use pinned versions in
requirements.txt - Review dependency licenses
- Update regularly for security patches
Testing:
- Never commit test data from real investigations
- Use mock/fake data in tests
- Sanitize example outputs in docs
Security fixes are announced via:
- GitHub Security Advisories (automatic for critical issues)
- Release Notes in CHANGELOG.md
- GitHub Discussions (if appropriate)
# Check for updates
git fetch origin
git log HEAD..origin/main --oneline
# Update to latest
git pull origin main
docker build -t worker-osint-mcp:latest .We recognize researchers who help keep workers safe:
- [Waiting for first contributor!]
Thank you for making this toolkit safer for workers worldwide.
- See
docs/OPSEC_ADVANCED.mdfor comprehensive guidance - See
docs/USAGE_GUIDE.mdfor tool-specific OPSEC
- Bandit: Python security linter (runs in CI/CD)
- Trivy: Container vulnerability scanning
- Dependabot: Automated dependency updates
This toolkit is for legitimate worker advocacy only. Using these tools to:
- Harass or stalk individuals
- Access systems without authorization
- Violate privacy laws
- Support anti-union activities
...is explicitly prohibited and may violate laws in your jurisdiction.
Worker safety and privacy always come first.
- Security issues: [TODO: security email]
- General issues: GitHub Issues
- Questions: GitHub Discussions
- Emergency: If you've discovered an active attack on workers using this tool, email immediately with [URGENT] in subject
This security policy is part of our commitment to worker safety and solidarity. β