Found a bug in the launcher (haxbox.py, the installer, the catalog data)
that has security impact? Please report it privately:
- Open a security advisory on GitHub
- Or email the maintainer (see GitHub profile)
Please don't open a public issue for security bugs until a fix is shipped. Expected response: within 7 days.
In scope:
- The installer running an unintended command
- A catalog entry pointing to a malicious mirror
- Path-traversal or RCE in the launcher
- Credentials / state being persisted insecurely
Not in scope:
- The behavior of upstream tools the catalog points to (file with that project)
- Misuse of the toolkit by an end user
HaxBox is a curator and installer of publicly available security tools. By using it, you affirm that:
- You will only use the cataloged tools against systems you own or have written authorization to test.
- You understand that unauthorized access to computer systems is a crime in virtually every jurisdiction.
- You accept full responsibility for your use of the tools.
The maintainers accept no liability for misuse.
HaxBox does not redistribute or include:
- Exploits, payloads, or shellcode
- Credential dumps, breach data, or wordlists of victim PII
- AV/EDR evasion implementations
- Targeted attacks against specific real-world organizations
If you find a catalog entry that crosses these lines, please open an issue or PR to remove it.