Legal

Security Policy

How to report vulnerabilities, what is in scope, and the current safeguards used across the CLI, dashboard, API, and release workflow.

Last updated: May 20, 2026

Supported Versions

0.3.xCurrent
< 0.3.0Unsupported

Reporting A Vulnerability

Do not report vulnerabilities through public GitHub issues.

Email: itsafnanksalal@gmail.com

PGP is available on request.

Please include the affected component, reproduction steps, impact assessment, safe logs or screenshots, and suggested mitigation if known.

Response Targets

Acknowledgement

48 hours

Initial assessment

7 days

Patch timeline

14 days

Coordinated disclosure

90 days unless risk requires faster action

Scope

In scope:

  • breachscope CLI package.
  • Dashboard application and API routes.
  • Authentication, API key, SCIM, SAML, scan ingestion, and triage flows.
  • Release, npm package, and GitHub Actions workflows.

Out of scope:

  • Vulnerabilities in third-party projects that BreachScope scans.
  • Denial of service through intentional resource exhaustion.
  • Social engineering.
  • Findings that require access to another user's dashboard account without an underlying vulnerability.

Current Security Practices

  • Dependency audits run in CI.
  • CLI and web builds are typechecked, linted, tested, and audited.
  • API keys are hashed before storage.
  • Dashboard secrets are encrypted with AES-256-GCM.
  • Scan ingestion validates payload size, fields, dates, finding count, and embedded JSON.
  • API key scopes are enforced for scan upload and CLI config access.
  • CLI auth polling is replay-safe.
  • Sandbox secrets are excluded by default and require --include-secrets.
  • SAML ACS fails closed until assertion validation and IdP certificate pinning are configured.