Don't open a public GitHub issue for security vulnerabilities.

To report a security issue, email: security@sanchez314c (or open a private GitHub security advisory).

Include as much of the following as you can:

• Type of issue (e.g., API key exposure, injection, data leak)
• The files involved and their location in the repo
• Steps to reproduce
• Potential impact

You'll get a response within 48 hours. If the issue is confirmed, a patch will be released as quickly as possible.

OZint uses the ZAI_API_KEY environment variable. Never hardcode API keys.

# Correct
export ZAI_API_KEY="your_key_here"
./run-source-linux.sh

# Wrong - don't do this
python src/zai_email_processor.py --key abc123

If you accidentally commit an API key, rotate it immediately and rewrite the git history or use git filter-branch to remove it.

OZint processes email addresses and contact data. Users are responsible for:

• Only processing email addresses they have authorization to research
• Complying with applicable data protection laws (GDPR, CCPA, etc.)
• Not storing results beyond their intended use
• Securing output files that contain personal data

Output CSV and JSON files may contain personally identifiable information (PII). Treat them accordingly.

Wave 8 (HIBP breach lookup) is currently disabled in the code. The HIBP_API_KEY variable has no effect in the current version. When Wave 8 is re-enabled, keep that key secure.

OZint validates input email formats before processing. Malformed input is skipped with a warning rather than causing an error. Do not pass untrusted data directly into the processing pipeline without first sanitizing it.

The tool makes outbound HTTP requests to:

• ZAI API (GLM-4.6 model)
• Wayback Machine (web.archive.org CDX API)
• PGP key servers (keys.openpgp.org)
• Gravatar
• crt.sh (certificate transparency)
• DNS resolvers (MX, SPF, TXT lookups)

Note: Have I Been Pwned (HIBP) is in the code but Wave 8 is currently disabled. No HIBP requests are made.

Run the tool only from networks where these outbound connections are acceptable.

The default rate limit is 100 API requests per hour (OZINT_RATE_LIMIT). Exceeding limits can result in API key suspension. Don't override this unless you know what you're doing.

This tool is designed for authorized OSINT research, security testing, and professional contact enrichment. Use it only on email addresses and domains you have explicit permission to investigate. Unauthorized use against individuals or organizations may violate computer fraud laws, privacy laws, or terms of service agreements.