We actively support the following versions of APILeak with security updates:
| Version | Supported |
|---|---|
| 0.1.x | β |
We take the security of APILeak seriously. If you discover a security vulnerability, please follow these steps:
Please do NOT create a public GitHub issue for security vulnerabilities.
Instead, please report security vulnerabilities by:
- Email: Send details to security@apileak.dev
- Subject: Include "SECURITY" in the subject line
- Details: Provide as much information as possible about the vulnerability
When reporting a vulnerability, please include:
- Description: Clear description of the vulnerability
- Impact: Potential impact and attack scenarios
- Reproduction: Step-by-step instructions to reproduce
- Environment: APILeak version, Python version, OS
- Proof of Concept: Code or screenshots if applicable
- Suggested Fix: If you have ideas for remediation
We are committed to responding to security reports promptly:
- Initial Response: Within 48 hours
- Status Update: Within 7 days
- Resolution: Within 30 days for critical issues
When using APILeak:
- Authorization: Only test APIs you own or have explicit permission to test
- Rate Limiting: Use appropriate rate limiting to avoid DoS
- Credentials: Never include real credentials in configuration files
- Scope: Limit testing scope to authorized endpoints only
- Dependencies: Keep dependencies updated
- Configuration: Use secure configuration practices
- Logging: Avoid logging sensitive information
- Access Control: Implement proper access controls for scan results
- Network Isolation: Run scans from isolated networks when possible
- Result Storage: Secure storage of scan results and reports
- Access Logs: Monitor access to APILeak and scan results
- Regular Updates: Keep APILeak updated to the latest version
APILeak includes several security features:
- Input Validation: Comprehensive input validation and sanitization
- Rate Limiting: Built-in rate limiting to prevent abuse
- Secure Defaults: Secure default configurations
- Audit Logging: Comprehensive audit logging of all operations
- No Credential Storage: No persistent storage of authentication credentials
- APILeak is a security testing tool that generates potentially malicious requests
- Scan results may contain sensitive information and should be handled securely
- The tool should only be used against systems you own or have permission to test
- Network traffic generated by APILeak may trigger security monitoring systems
We recognize security researchers who help improve APILeak security:
Thank you for helping keep APILeak and its users secure! π‘οΈ