REDACTS is a forensic analysis aid. It assists investigators but does not replace and cannot substitute for thorough manual review by qualified security professionals. Results are not guaranteed to be complete or definitive. Use REDACTS as an auxiliary tool within your incident response workflow, not as the sole basis for security decisions.
REDACTS does not modify, patch, or alter the files it scans. It is not affiliated with or endorsed by Vanderbilt University or the REDCap Consortium. REDCap® is a registered trademark of Vanderbilt University.
© 2024–2026 The Adimension / Shehab Anwer — atrium@theadimension.com · shehab.anwer@gmail.com
| Version | Supported |
|---|---|
| 2.0.x | Yes |
| < 2.0 | No |
If you discover a security vulnerability in REDACTS itself (not in a REDCap installation being scanned), please report it responsibly:
- Do not open a public GitHub issue
- Email atrium@theadimension.com or shehab.anwer@gmail.com with:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- You will receive an acknowledgment within 48 hours
- A fix will be prioritized based on severity
This policy covers vulnerabilities in the REDACTS scanner tool itself, such as:
- Command injection through crafted file names or paths
- Arbitrary code execution via malicious input files
- Information disclosure from scanner output
- Dependency vulnerabilities in REDACTS's toolchain
This policy does not cover vulnerabilities in REDCap — report those to the REDCap Consortium directly.
REDACTS processes untrusted input (potentially compromised REDCap installations). The scanner is designed to:
- Never execute PHP code from scanned files
- Run external tools (Semgrep, Trivy) in sandboxed contexts
- Hash and classify files without interpreting their contents
- Produce read-only reports with no write-back to source
If you find a way to violate these guarantees, that is a reportable vulnerability.