| Version | Supported |
|---|---|
| 1.0.x | ✅ |
Please do not report security vulnerabilities through public GitHub issues.
Instead, please report them privately via:
- GitHub Security Advisories (preferred)
- Email: security@recongpt.io
Include:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if any)
- Initial Response: Within 48 hours
- Status Update: Within 7 days
- Fix Timeline: Depends on severity
- Critical: 1-3 days
- High: 7-14 days
- Medium: 30 days
- Low: Best effort
- We follow responsible disclosure
- Security issues will be patched before public disclosure
- Credit will be given to reporters (if desired)
- CVE IDs will be requested for significant vulnerabilities
When using ReconGPT:
- Never scan unauthorized domains
- Protect your API keys - Use environment variables
- Limit scan scope - Don't scan entire internet ranges
- Rate limit - Respect target infrastructure
- Isolate workers - Run in sandboxed environments
- Audit logs - Review all scan activities
- Update regularly - Keep dependencies current
- ReconGPT executes external tools (subfinder, httpx, etc.)
- Scan results may contain sensitive data
- AI analysis sends data to OpenAI (sanitize if needed)
- Workers should run in isolated environments
- Input validation on all API endpoints
- Rate limiting per user
- Audit logging of all scans
- Configurable domain whitelist/blacklist
- Isolated job execution
For security questions, contact: security@recongpt.io