|
1 | 1 | # Security Policy |
2 | 2 |
|
3 | | -SharpADIDNS is a dual-use security and administration tool for AD-integrated DNS. This policy covers security issues in the SharpADIDNS project itself, not the use of the tool against third-party environments. |
| 3 | +SharpADIDNS is a dual-use tool for authorized work with AD-integrated DNS. This policy only covers security issues in this repository, its source code, and official release artifacts. |
4 | 4 |
|
5 | | -## Supported Versions |
| 5 | +It does not authorize testing or modifying systems without explicit permission. |
6 | 6 |
|
7 | | -Security fixes are handled for the latest tagged release and the `main` branch on a best-effort basis. |
| 7 | +## Reporting |
8 | 8 |
|
9 | | -Older tags, modified copies, and forks are not supported. |
| 9 | +Please do not disclose security details in public issues, pull requests, discussions, gists, or social posts. |
10 | 10 |
|
11 | | -## Scope |
12 | | - |
13 | | -In scope: |
14 | | - |
15 | | -- Vulnerabilities in the SharpADIDNS source code. |
16 | | -- Issues in official release artifacts published from this repository. |
17 | | -- Build, packaging, or documentation issues that could cause unsafe or misleading use. |
18 | | -- Repository or release integrity concerns affecting this project. |
19 | | - |
20 | | -Out of scope: |
21 | | - |
22 | | -- Abuse of expected SharpADIDNS functionality in unauthorized environments. |
23 | | -- Vulnerabilities in Active Directory, DNS, C2 frameworks, operator infrastructure, or third-party deployments. |
24 | | -- Requests to bypass detection, access controls, or organizational policy. |
25 | | -- Social engineering, denial-of-service testing, spam, or attacks against GitHub, maintainers, or users. |
26 | | -- Theoretical reports without a clear impact path. |
27 | | - |
28 | | -## Reporting a Vulnerability |
29 | | - |
30 | | -Please do not disclose vulnerability details in a public issue, pull request, discussion, gist, social post, or chat transcript. |
| 11 | +Use GitHub Private Vulnerability Reporting if available: |
31 | 12 |
|
32 | | -Preferred reporting channel: |
| 13 | +<https://github.com/RedteamNotes/SharpADIDNS/security/advisories/new> |
33 | 14 |
|
34 | | -- Use GitHub Private Vulnerability Reporting for this repository, if available: |
35 | | - <https://github.com/RedteamNotes/SharpADIDNS/security/advisories/new> |
| 15 | +If private reporting is not available, open a public issue titled `Security contact request` and include only a brief, non-sensitive summary. |
36 | 16 |
|
37 | | -Fallback reporting channel: |
| 17 | +Remove credentials, tokens, private keys, customer data, internal domain names, IP addresses, and other sensitive details before reporting. |
38 | 18 |
|
39 | | -- If private reporting is not available, open a public issue titled `Security contact request` and include only a brief, non-sensitive summary. |
40 | | - |
41 | | -Please include: |
42 | | - |
43 | | -- Affected version, tag, commit, or release artifact. |
44 | | -- A clear impact statement. |
45 | | -- Minimal reproduction steps. |
46 | | -- Relevant logs or command output with secrets removed. |
47 | | -- Any suggested remediation, if available. |
48 | | - |
49 | | -Do not include production credentials, tokens, private keys, customer data, internal domain names, internal IP addresses, or other sensitive environmental details unless a private channel has been agreed. |
50 | | - |
51 | | -## Handling |
52 | | - |
53 | | -Reports are reviewed on a best-effort basis. Valid issues may be fixed in `main`, included in the next release, or documented with mitigation guidance depending on impact and complexity. |
| 19 | +## Scope |
54 | 20 |
|
55 | | -The project may decline reports that primarily enable unauthorized operation, policy bypass, or offensive tasking support rather than improving the security of SharpADIDNS itself. |
| 21 | +In scope: bugs in SharpADIDNS source code, official release artifacts, build or packaging issues, and repository integrity concerns. |
56 | 22 |
|
57 | | -## Safe Use |
| 23 | +Out of scope: unauthorized use of the tool, third-party AD or DNS misconfigurations, operator infrastructure issues, detection bypass requests, and reports without a clear impact path. |
58 | 24 |
|
59 | | -SharpADIDNS is intended for authorized security assessments, lab environments, CTFs, and controlled administration work. |
| 25 | +## Use |
60 | 26 |
|
61 | | -Operators should prefer `--dry-run` and `--backup-to` before write operations, keep engagement authorization and change records, and avoid including sensitive environment details in bug reports. |
| 27 | +Use SharpADIDNS only in authorized assessments, labs, CTFs, or controlled administration work. Prefer `--dry-run` and `--backup-to` before write operations. |
0 commit comments