Skip to content

Security: MoisesTapia/apileaks

SECURITY.md

Security Policy

Supported Versions

We actively support the following versions of APILeak with security updates:

Version Supported
0.1.x βœ…

Reporting a Vulnerability

We take the security of APILeak seriously. If you discover a security vulnerability, please follow these steps:

πŸ”’ Private Disclosure

Please do NOT create a public GitHub issue for security vulnerabilities.

Instead, please report security vulnerabilities by:

  1. Email: Send details to security@apileak.dev
  2. Subject: Include "SECURITY" in the subject line
  3. Details: Provide as much information as possible about the vulnerability

πŸ“‹ What to Include

When reporting a vulnerability, please include:

  • Description: Clear description of the vulnerability
  • Impact: Potential impact and attack scenarios
  • Reproduction: Step-by-step instructions to reproduce
  • Environment: APILeak version, Python version, OS
  • Proof of Concept: Code or screenshots if applicable
  • Suggested Fix: If you have ideas for remediation

πŸ• Response Timeline

We are committed to responding to security reports promptly:

  • Initial Response: Within 48 hours
  • Status Update: Within 7 days
  • Resolution: Within 30 days for critical issues

πŸ›‘οΈ Security Best Practices

When using APILeak:

For Security Testing

  • Authorization: Only test APIs you own or have explicit permission to test
  • Rate Limiting: Use appropriate rate limiting to avoid DoS
  • Credentials: Never include real credentials in configuration files
  • Scope: Limit testing scope to authorized endpoints only

For Development

  • Dependencies: Keep dependencies updated
  • Configuration: Use secure configuration practices
  • Logging: Avoid logging sensitive information
  • Access Control: Implement proper access controls for scan results

For Production Use

  • Network Isolation: Run scans from isolated networks when possible
  • Result Storage: Secure storage of scan results and reports
  • Access Logs: Monitor access to APILeak and scan results
  • Regular Updates: Keep APILeak updated to the latest version

πŸ” Security Features

APILeak includes several security features:

  • Input Validation: Comprehensive input validation and sanitization
  • Rate Limiting: Built-in rate limiting to prevent abuse
  • Secure Defaults: Secure default configurations
  • Audit Logging: Comprehensive audit logging of all operations
  • No Credential Storage: No persistent storage of authentication credentials

🚨 Known Security Considerations

  • APILeak is a security testing tool that generates potentially malicious requests
  • Scan results may contain sensitive information and should be handled securely
  • The tool should only be used against systems you own or have permission to test
  • Network traffic generated by APILeak may trigger security monitoring systems

πŸ“š Security Resources

πŸ† Security Hall of Fame

We recognize security researchers who help improve APILeak security:


Thank you for helping keep APILeak and its users secure! πŸ›‘οΈ

There aren't any published security advisories