Security Disclosure Policy

Reporting a Vulnerability

Do NOT open a public GitHub issue for security vulnerabilities. Instead, please report via our dedicated security email:

What to Include

• Clear description of the vulnerability
• Step-by-step reproduction instructions
• Affected version(s) of Counterscarp Engine
• Impact assessment (what an attacker could achieve)
• Suggested fix, if applicable

Encryption

If you need to send sensitive details, a PGP key is available upon request. Email us first and we'll provide it.

Response Timeline

• Acknowledgment: Within 48 hours of receipt
• Initial Assessment: Within 5 business days
• Fix Timeline: Depends on severity (see below)

Responsible Disclosure

• Please do not publicly disclose the vulnerability until a fix has been released and users have had time to update
• We commit to not pursuing legal action against good-faith security researchers who follow this policy
• Credit will be given in release notes and on this page (unless you prefer to remain anonymous)
• We will coordinate disclosure timing with you and keep you informed of fix progress

Scope

In Scope

• Counterscarp Engine — all supported versions (v4.x and v5.x)
• counterscarp.io website
• api.counterscarp.io (license validation API)
• app.counterscarp.io (web application)
• CLI tools and report generation pipeline

Out of Scope

• Third-party dependencies — please report these to the respective upstream maintainer
• Social engineering attacks against Counterscarp team members
• Denial of service attacks
• Issues in deprecated versions (below v4.0)

Supported Versions