Skip to content

Security: l3tchupkt/PluginHunter

Security

SECURITY.md

Security Policy

Reporting Security Vulnerabilities

If you discover a security vulnerability in PluginHunter, please report it responsibly.

How to Report

DO NOT create a public GitHub issue for security vulnerabilities.

Instead, please email:

What to Include

Please include:

  1. Description of the vulnerability
  2. Steps to reproduce
  3. Potential impact
  4. Suggested fix (if any)
  5. Your contact information

Response Timeline

  • Initial Response: Within 48 hours
  • Status Update: Within 7 days
  • Fix Timeline: Depends on severity
    • Critical: 1-7 days
    • High: 7-14 days
    • Medium: 14-30 days
    • Low: 30-90 days

Disclosure Policy

We follow responsible disclosure:

  1. You report the vulnerability privately
  2. We acknowledge and investigate
  3. We develop and test a fix
  4. We release the fix
  5. We publicly disclose (with credit to you, if desired)

Security Best Practices for Users

When using PluginHunter:

  1. Keep Updated

    pip install --upgrade PluginHunter

  2. Protect Configuration Files

    chmod 600 server_config.json

  3. Secure Credentials

    • Don't commit config files with tokens
    • Use environment variables for sensitive data
    • Rotate tokens regularly

  4. Server Mode Security

    • Run on secure VPS
    • Use firewall rules
    • Enable SSH key authentication
    • Monitor access logs

  5. Report Storage

    • Protect report directories
    • Don't expose reports publicly
    • Archive old reports securely

Supported Versions

Version Supported
1.2.x
< 1.2

Known Security Considerations

  1. Dynamic Verification: Requires Docker and may execute potentially dangerous code in containers
  2. Server Mode: Stores sensitive tokens in configuration files
  3. Reports: May contain sensitive information about vulnerabilities

Security Features

PluginHunter includes:

  • No arbitrary code execution (except in isolated Docker containers for dynamic verification)
  • Input validation for all user inputs
  • Safe file handling
  • Secure HTTP requests
  • No storage of credentials in code

Legal Notice

PluginHunter is a security research tool. Users are responsible for:

  • Obtaining proper authorization before scanning
  • Complying with applicable laws
  • Following responsible disclosure practices
  • Not using the tool for malicious purposes

Credits

We appreciate security researchers who help improve PluginHunter. With your permission, we'll credit you in:

  • CHANGELOG.md
  • Security advisories
  • Release notes

Author: LAKSHMIKANTHAN K (letchupkt)
License: MIT

There aren’t any published security advisories