The Breach Around project takes security seriously. As a tool designed for security professionals, we hold ourselves to high standards for:

• Protecting user data and credentials
• Secure handling of API keys and tokens
• Responsible vulnerability disclosure
• Maintaining operational security (OPSEC)

We provide security updates for the following versions:

Recommendation: Always use the latest version for the best security posture.

Please report any security vulnerabilities including:

• Authentication or authorization bypasses
• Credential leakage or exposure
• API key or token exposure
• Code injection vulnerabilities
• Dependency vulnerabilities (critical/high severity)
• Privacy violations
• Insecure default configurations

Please do NOT report as security issues:

• Missing security headers in documentation
• Theoretical attacks without proof of concept
• Issues in unsupported versions
• Social engineering concerns
• Issues requiring physical access
• Spam or denial of service on public APIs (report to API provider)

DO NOT create a public GitHub issue for security vulnerabilities!

Instead, report privately using one of these methods:

1. Go to the Security tab
2. Click "Report a vulnerability"
3. Fill out the advisory form with details
4. Submit the report

Send an email to: security@fusedgaming.com (or your preferred contact)

Email Template:

Subject: [SECURITY] Breach Around Vulnerability Report

Vulnerability Type: [e.g., Credential Exposure]
Severity: [Critical/High/Medium/Low]
Affected Version(s): [e.g., 0.1.0]
Attack Vector: [e.g., Local/Network/Adjacent]

Description:
[Detailed description of the vulnerability]

Steps to Reproduce:
1. [Step 1]
2. [Step 2]
3. [Step 3]

Impact:
[What can an attacker achieve?]

Proof of Concept:
[Code or screenshots demonstrating the issue]

Suggested Fix:
[If you have ideas for fixing it]

Your Information:
Name: [Your name or alias]
Contact: [Email or GitHub username]
Public Credit: [Yes/No - Do you want to be credited publicly?]

• We will acknowledge receipt within 48 hours
• We will provide an initial assessment within 7 days
• We will keep you updated on progress

• We will work with you to understand and reproduce the issue
• We will develop and test a fix
• We will coordinate a disclosure timeline (typically 90 days)
• We will credit you in release notes (if desired)

• No Persistent Storage: Credentials are never stored on disk
• Memory Sanitization: Sensitive data is cleared from memory after use
• No Logging: Passwords are never logged (even in debug mode)
• Encrypted Transit: All API calls use HTTPS/TLS

• k-Anonymity: HIBP password checks use k-anonymity (passwords never sent)
• Rate Limiting: Built-in rate limiting prevents abuse
• Token Management: API keys are loaded from environment variables
• Timeout Protection: All network requests have timeouts

• Public Release Vehicle: This repo contains sanitized code only
• Private Development: Development happens in private repository
• Automated Sync: Code is automatically sanitized before public release
• No Secrets in Code: All sensitive configuration uses environment variables

1. Keep Updated: Always use the latest version

   pip install --upgrade breach-around

2. Secure API Keys: Store keys in .env files, never in code

   # Good
   HIBP_API_KEY=your_key_here
   
   # Bad - don't commit keys!
   git add .env

3. Validate Input: Only check credentials you're authorized to test

4. Secure Results: Store results in encrypted locations or delete after use

5. Network Security: Use VPN or secure networks when running checks

1. Code Review: All code changes should be reviewed for security issues

2. Dependency Scanning: Run pip audit regularly

   pip install pip-audit
   pip-audit

3. Static Analysis: Use security linters

   pip install bandit
   bandit -r breach_around/

4. Secret Scanning: Never commit secrets

   git secrets --scan

5. Least Privilege: Request only necessary permissions

1. Verification: We verify the reported vulnerability
2. Assessment: We assess severity using CVSS v3.1
3. Fix Development: We develop a fix in private
4. Testing: We thoroughly test the fix
5. Release: We release a security update
6. Disclosure: We publish a security advisory

We use CVSS v3.1 for severity ratings:

Published advisories can be found at:

• GitHub Security Advisories

We recognize and thank security researchers who help improve Breach Around:

• [No reports yet - be the first!]

To be listed in our Hall of Fame:

• Report must be a valid security vulnerability
• Report must follow responsible disclosure
• Report must be submitted before public disclosure
• Researcher must agree to be publicly credited

• OWASP Top 10
• CWE - Common Weakness Enumeration
• CVE - Common Vulnerabilities and Exposures
• CVSS Calculator

Recommended tools for security testing:

# Dependency vulnerability scanning
pip install pip-audit
pip-audit

# Static security analysis
pip install bandit
bandit -r breach_around/

# Secret detection
pip install detect-secrets
detect-secrets scan

# SAST scanning
pip install semgrep
semgrep --config=auto .

We support safe harbor for security researchers who:

• Make a good faith effort to comply with this policy
• Do not access, modify, or delete user data
• Do not intentionally harm the system or users
• Do not publicly disclose vulnerabilities before coordinated disclosure
• Do not demand payment or compensation for disclosure

We will not pursue legal action against researchers who:

1. Follow this security policy
2. Act in good faith
3. Do not violate laws or terms of service
4. Coordinate disclosure responsibly

This security policy may be updated periodically. Significant changes will be:

• Announced in release notes
• Posted in repository discussions
• Highlighted in README

Last Updated: 2026-01-09 Policy Version: 1.0.0

• Security Email: security@fusedgaming.com
• GitHub Security: Report a vulnerability
• General Issues: GitHub Issues (non-security only)

Thank you for helping keep Breach Around and its users safe!

Security is a community effort, and we appreciate responsible researchers who help us identify and fix vulnerabilities before they can be exploited.

Remember: If in doubt, report it privately first. We're here to work with you, not against you.