Am I Hacked? is a local, read-only security assessment tool. It does not expose network services, store data remotely, or run as a persistent agent. Vulnerabilities in scope include:

• False negatives that would cause a genuinely compromised system to report as clean (detection logic bugs)
• Code execution bugs — scenarios where running the tool on a compromised system could allow the attacker to escalate or persist via the tool itself
• Insecure handling of API keys or user-supplied config that leaks credentials
• Report injection — malicious finding data that executes code when the HTML report is opened

Out of scope:

• False positives (legitimate software flagged as suspicious) — open a Detection Request instead
• Issues requiring physical access to the machine being scanned
• Findings about the user's own environment surfaced by the tool (that's the point)

Please do not open a public GitHub issue for security vulnerabilities.

Use GitHub's private vulnerability reporting to submit a report confidentially. Include:

1. A description of the vulnerability and its impact
2. Steps to reproduce or a proof-of-concept
3. The version of the tool affected
4. Any suggested fix if you have one

We follow responsible disclosure and will credit reporters in the release notes unless anonymity is requested.