Vértice-MAXIMUS is a professional cybersecurity platform. We take security vulnerabilities seriously and appreciate responsible disclosure from the security community.
| Version | Supported |
|---|---|
| 2.0.x | ✅ |
| 1.x | ❌ |
If you discover a security vulnerability in Vértice-MAXIMUS, please follow responsible disclosure practices:
- DO NOT open a public GitHub issue
- Email: [email protected]
- Subject:
[SECURITY] Vulnerability Report - [Brief Description] - Include:
- Detailed description of the vulnerability
- Steps to reproduce
- Potential impact assessment
- Suggested remediation (if available)
- Your contact information for follow-up
- Initial Response: Within 48 hours
- Status Update: Within 7 days
- Fix Timeline: Based on severity (Critical: 24-72h, High: 7-14 days, Medium: 30 days)
- Public Disclosure: After fix is deployed and users have time to update (typically 30 days)
Security researchers who follow responsible disclosure will be:
- Credited in the CHANGELOG (if desired)
- Listed in our Hall of Fame (with permission)
- Eligible for acknowledgment in academic citations
Vértice-MAXIMUS contains offensive security tools designed for authorized security testing only. Security researchers testing this platform must:
- Obtain explicit written authorization from system owners
- Comply with all applicable laws:
- United States: Computer Fraud and Abuse Act (CFAA, 18 U.S.C. § 1030)
- Brazil: Lei Carolina Dieckmann (Lei 12.737/2012), Marco Civil da Internet (Lei 12.965/2014)
- Europe: GDPR, Computer Misuse Act (UK), local regulations
- Limit scope to authorized targets only
- Report findings through responsible disclosure
The following activities are strictly prohibited and may result in legal action:
- Unauthorized access to systems or data
- Deployment of malware or destructive payloads
- Denial of service attacks
- Data exfiltration without authorization
- Testing on production systems without permission
- Exploitation for personal gain
- Sharing vulnerabilities publicly before remediation
# Always verify package integrity
npm audit --audit-level=high
# Use package lock files
npm ci --only=production
# Review dependencies
npm ls --depth=0- Never commit secrets to version control
- Use environment variables for sensitive configuration
- Rotate credentials regularly
- Enable audit logging for all operations
- Implement least privilege access controls
- Monitor for anomalous behavior
- Run services with non-root users
- Use network segmentation for offensive tools
- Deploy IDS/IPS on network perimeter
- Enable comprehensive logging with centralized collection
- Implement security incident response procedures
| Date | Auditor | Scope | Findings |
|---|---|---|---|
| 2025-01 | Internal | Full codebase | No exposed secrets, clean repository |
- OWASP Vulnerability Disclosure Cheat Sheet
- ISO 29147:2018 Vulnerability Disclosure
- NIST SP 800-61r2 Computer Security Incident Handling Guide
Contact: [email protected] PGP Key: Available upon request for encrypted communication
Copyright © 2025 Juan Carlos de Souza. All Rights Reserved.