Language: English (en-US) — default. Português (pt-BR): SECURITY.pt-BR.md
- In scope: flaws in EmbedXPL-Forge itself (Python code, declared dependencies,
tools/scripts) affecting the operator (RCE on the analyst machine, unsafe input handling, etc.). - Out of scope: “0-day” on third-party devices found while using the framework; report through vendor or their bug bounty.
- Functional scope: routers, switches, TAPs, firewalls, NGFW, printers/MFP (fully in scope since v3.1.0), cameras, embedded OS, ICS/OT, smart home, maritime IoT. All module categories are now in scope.
- Use GitHub private vulnerability reporting: Security → Report a vulnerability on
mrhenrike/EmbedXPL-Forge. - Do not file a public issue with a full exploit before triage.
- Include:
- Affected commit or tag
- Minimal reproduction steps
- Impact (confidentiality, integrity, availability)
- Suggested patch (optional)
- Logs without third-party secrets
| Phase | Target |
|---|---|
| Acknowledgement | ~72 hours |
| Initial triage | ~7 business days |
| Fix | depends on severity and complexity |
We prefer coordinated disclosure: keep details private until a fix or agreed timeline. Immediate public PoC may be discouraged when it puts users at risk.
- Use only on assets you own or with written authorization.
- Third-party production requires contract and clear rules of engagement.
- Do not submit customer data, credentials, or dumps to this repository.
- Modules may be destructive in lab environments — isolate test networks.
Harassment or abuse in project channels: see CODE_OF_CONDUCT.md and use private reporting where appropriate.