A newer version of the Gradio SDK is available: 6.14.0
Security Policy
Reporting a Vulnerability
If you believe you have discovered a security vulnerability in this repository, please do not open a public issue, discussion, or pull request describing the vulnerability.
Use a private reporting channel instead:
GitHub Private Vulnerability Reporting
Go to Security β Report a vulnerability in this repository, if available.Direct security contact
Email:security@yourdomain.com
Replace the email address above with the correct production security contact before publishing this repository.
Project Scope
This repository implements a passive, drift-aware OSINT control panel.
The system is designed around the following control path:
Validation β Policy β Execution β Drift β Audit
The default operating mode is passive. Any active interaction with a user-provided target must be explicitly authorized before execution.
Security reports are most valuable when they help strengthen validation, authorization, policy enforcement, drift detection, audit integrity, or safe handling of indicators.
Security Model
The project is built around the following invariants:
No raw indicators in audit logs.
No conditional modules without explicit authorization.
No forbidden modules.
No policy mutation without out-of-band approval.
No correction outside the approved verbs: ADAPT, CONSTRAIN, REVERT, OBSERVE.
The intended trust boundary is:
User Input β Validation β Policy Decision β Approved Execution β Drift Check β Audit Record
Any bypass, mutation, or unsafe shortcut in this chain may be security-relevant.
In-Scope Vulnerabilities
High-priority reports include:
- Input validation or sanitization bypass
- Raw indicator leakage before hashing or redaction
- Exposure of
OSINT_HASH_SALTor other secrets - Authorization gate bypass
- Execution of conditional modules without approval
- Audit log tampering, deletion, or suppression
- Policy mutation without out-of-band approval
- Drift detection manipulation that hides unsafe behavior
- Introduction of forbidden modules or active tooling
- Dependency behavior that causes unsafe execution or structural drift
Medium-priority reports include:
- Incorrect module risk classification
- Unsafe report generation
- Overly permissive source registry behavior
- Inconsistent correction-verb enforcement
- Unhandled exceptions that expose sensitive runtime details
- Incomplete audit records for security-relevant actions
- Configuration behavior that weakens passive-first guarantees
Low-priority reports include:
- UI-only issues without security impact
- Non-sensitive error message quality
- Documentation inconsistencies
- Minor logging or formatting issues that do not affect audit integrity
Out of Scope
The following are not considered vulnerabilities in this repository:
- Issues in third-party OSINT services linked by the application
- Social engineering attacks
- Denial-of-service attempts
- Physical attacks
- Spam or phishing reports unrelated to this codebase
- Vulnerabilities requiring unauthorized access to third-party systems
- Reports involving active scanning or exploitation of targets not owned or explicitly controlled by the reporter
- Misuse of the tool by end users outside the intended authorization model
- Findings based only on hypothetical impact without a realistic path to exploitation
Testing Rules
Security testing must be safe, authorized, and non-destructive.
Do not:
- Use real user data
- Submit secrets, credentials, or unauthorized target data
- Perform active scanning against third-party systems
- Attempt persistence, privilege escalation, or data exfiltration
- Degrade service availability
- Run destructive payloads
- Chain exploits against systems outside your authorization scope
If sensitive data is encountered during testing, stop immediately and report the exposure through a private channel.
Report Requirements
Please include as much of the following as possible:
- Summary of the issue
- Affected component, file, or control path
- Steps to reproduce
- Expected behavior
- Actual behavior
- Security impact
- Safe proof of concept, if applicable
- Suggested mitigation, if known
- Whether the issue affects validation, policy, execution, drift detection, or audit integrity
Please avoid including real user data, live secrets, unauthorized target data, destructive payloads, or exploit chains against third-party systems.
Response Process
Expected response timeline:
- Acknowledgement: within 48 hours
- Initial triage: within 5 business days
- Severity assessment: after reproduction and impact review
- Fix plan: after validation of the issue
- Coordinated disclosure: when applicable
Timelines may vary depending on complexity, severity, and maintainer availability.
Coordinated Disclosure
Please give the maintainers reasonable time to investigate and remediate confirmed vulnerabilities before public disclosure.
If a vulnerability affects users, deployment safety, secrets, or audit integrity, coordinated disclosure may include:
- Patch development
- Regression tests
- Security advisory publication
- Versioned release notes
- Mitigation guidance
Safe Harbor
Good-faith security research is welcome when it follows this policy.
The project will not pursue action against researchers who:
- Act in good faith
- Stay within authorized scope
- Avoid privacy violations
- Avoid service degradation
- Avoid persistence or exfiltration
- Report vulnerabilities promptly and privately
- Stop testing if sensitive data is encountered
Safe harbor does not apply to activity that targets third-party systems without authorization, uses destructive techniques, or attempts to access, retain, or disclose data that does not belong to the researcher.
Preferred Areas of Review
Reports are especially useful when they improve:
- Indicator validation
- Hashing and redaction behavior
- Authorization gating
- Passive-first enforcement
- Conditional module controls
- Source registry constraints
- Drift attribution
- Audit log integrity
- Policy mutation safeguards
- Dependency and supply-chain safety
Security Contact
Primary security contact:
distortedprojection@gmail.com