| Version | Supported |
|---|---|
| 0.1.x | ✅ |
If you discover a security vulnerability in ctrlmap, please report it responsibly using GitHub Security Advisories. This ensures the report stays private until a fix is available.
Please do not open a public issue for security vulnerabilities.
- A clear description of the vulnerability
- Steps to reproduce the issue
- The potential impact
- Any suggested fixes (optional)
- Acknowledgment: within 48 hours
- Initial assessment: within 1 week
- Fix or mitigation: depends on severity, but we aim for 30 days for critical issues
ctrlmap runs entirely locally with no network calls to external services. The primary security concerns are:
- Dependency vulnerabilities in the Python supply chain
- File handling and path traversal in document parsing
- Local data integrity and access control
- LLM prompt injection via adversarial PDF content that could manipulate compliance outputs
- Vulnerabilities in Ollama itself (report those to the Ollama project)
- Issues with the underlying operating system or Python runtime