Skip to content

Security: StewAlexander-com/ShadowVendor

Security

SECURITY.md

Security Policy

Supported Versions

Version Supported
14.x
< 14.0

Reporting a Vulnerability

Do not open public GitHub issues for security vulnerabilities.

Report vulnerabilities privately using one of the following:

In Scope

Please report issues in ShadowVendor itself, including:

  • Remote code execution or command injection in the tool
  • Path traversal or unsafe file handling
  • Credential leakage or unsafe handling of secrets
  • Supply-chain or dependency issues affecting shipped code

Out of Scope

The following are not considered vulnerabilities in ShadowVendor:

  • Operator misconfiguration or misuse of the tool
  • Vulnerabilities in third-party OUI lookup APIs (api.macvendors.com, api.maclookup.app)
  • Risks from opening generated HTML dashboards in a browser (Plotly loaded from CDN)
  • Network data you choose to export to your SIEM or share externally

For privacy and network behavior (local processing, offline mode, optional API lookups), see the README Security Considerations and ADVANCED.md.

Response Expectations

  • Acknowledgment: within 7 business days
  • Initial assessment: within 14 business days
  • Disclosure: coordinated disclosure preferred; we will work with reporters on timing

There aren't any published security advisories