|
| 1 | +# Security Policy |
| 2 | + |
| 3 | +## ⚠️ Important Notice |
| 4 | + |
| 5 | +RickShell is a penetration testing and red team tool. It is designed exclusively for use on systems you own or have **explicit written authorization** to test. Unauthorized use against third-party systems is illegal and unethical. |
| 6 | + |
| 7 | +--- |
| 8 | + |
| 9 | +## Supported Versions |
| 10 | + |
| 11 | +| Version | Supported | |
| 12 | +|---------|-----------| |
| 13 | +| Latest (main) | ✔ | |
| 14 | +| Older releases | ✘ | |
| 15 | + |
| 16 | +Only the latest version on the `main` branch receives security updates. |
| 17 | + |
| 18 | +--- |
| 19 | + |
| 20 | +## Reporting a Vulnerability |
| 21 | + |
| 22 | +If you discover a security vulnerability in RickShell itself (e.g. unintended code execution on the attacker machine, insecure defaults, dependency issues), please report it responsibly. |
| 23 | + |
| 24 | +**Do not open a public GitHub issue for security vulnerabilities.** |
| 25 | + |
| 26 | +### How to report |
| 27 | + |
| 28 | +1. Open a **private** GitHub Security Advisory via the [Security tab](../../security/advisories/new) of this repository. |
| 29 | +2. Include the following information: |
| 30 | + - A clear description of the vulnerability |
| 31 | + - Steps to reproduce |
| 32 | + - Potential impact |
| 33 | + - Your suggested fix (if any) |
| 34 | + |
| 35 | +You can expect an initial response within **72 hours**. |
| 36 | + |
| 37 | +--- |
| 38 | + |
| 39 | +## Scope |
| 40 | + |
| 41 | +The following are considered in-scope for vulnerability reports: |
| 42 | + |
| 43 | +- Remote code execution on the **attacker machine** (the machine running RickShell) |
| 44 | +- Privilege escalation caused by RickShell itself |
| 45 | +- Insecure handling of session data or socket connections |
| 46 | +- Dependency vulnerabilities with direct exploitability |
| 47 | + |
| 48 | +The following are **out of scope:** |
| 49 | + |
| 50 | +- Vulnerabilities in payloads executed on target machines (that is the intended functionality) |
| 51 | +- Issues arising from use on systems without authorization |
| 52 | +- Social engineering of the maintainers |
| 53 | + |
| 54 | +--- |
| 55 | + |
| 56 | +## Responsible Use |
| 57 | + |
| 58 | +By using RickShell you agree to: |
| 59 | + |
| 60 | +- Only use this tool on systems you own or have **explicit written permission** to test |
| 61 | +- Comply with all applicable local, national, and international laws |
| 62 | +- Not use this tool to cause harm, disrupt services, or compromise systems without authorization |
| 63 | + |
| 64 | +The authors of RickShell are not responsible for any damage or legal consequences resulting from misuse of this software. |
| 65 | + |
| 66 | +--- |
| 67 | + |
| 68 | +## Dependencies |
| 69 | + |
| 70 | +RickShell depends on the following third-party library: |
| 71 | + |
| 72 | +| Package | Purpose | |
| 73 | +|---------|---------| |
| 74 | +| `psutil` | Network interface detection | |
| 75 | + |
| 76 | +Keep dependencies up to date. You can check for outdated packages with: |
| 77 | + |
| 78 | +```bash |
| 79 | +pip3 list --outdated |
| 80 | +``` |
0 commit comments