Conduit is a security research and penetration testing tool designed for authorized use only. This security policy addresses both:
- Security vulnerabilities in Conduit itself
- Responsible use of Conduit's capabilities
Conduit may be used in the following contexts:
- Penetration Testing: With explicit written authorization from system owners
- Red Team Operations: Within authorized scope and rules of engagement
- Security Research: In controlled laboratory or sandboxed environments
- CTF Competitions: Capture The Flag events and security training exercises
- Defensive Security: Blue team tool development and defensive testing
- Academic Research: University and institutional research with proper ethics approval
The following uses are strictly prohibited:
- Unauthorized access to any computer system or network
- Malicious activities or criminal purposes
- Testing without explicit written permission
- Deployment on systems you do not own or control
- Bypassing security controls without authorization
- Any use that violates local, state, or federal laws
Users are solely responsible for:
- Obtaining proper authorization before deployment
- Complying with all applicable laws and regulations
- Understanding the legal implications in their jurisdiction
- Maintaining documentation of authorization
- Operating within the scope of granted permissions
Note: Many jurisdictions have laws against unauthorized computer access (e.g., Computer Fraud and Abuse Act in the US, Computer Misuse Act in the UK). Violations can result in criminal prosecution, civil liability, and significant penalties.
We accept vulnerability reports for:
- Code Vulnerabilities: Buffer overflows, memory leaks, injection flaws
- Build Process: Malicious dependencies, compromised build artifacts
- Documentation: Misleading security claims, incomplete warnings
- License Compliance: GPL violations, missing attributions
The following are not security vulnerabilities:
- Detection by security tools (expected behavior)
- Network traffic visibility (known limitation)
- Process masquerading limitations on specific platforms
- Social engineering or user error scenarios
For security vulnerabilities in Conduit itself:
- DO NOT open a public GitHub issue
- Email security reports to: [Create a security contact or use GitHub Security Advisories]
- Include:
- Vulnerability description
- Steps to reproduce
- Affected versions
- Potential impact
- Suggested fix (if available)
For responsible disclosure:
- We aim to respond within 48 hours
- We will work with you to understand and verify the issue
- We will credit you in the fix announcement (if desired)
- We follow a 90-day disclosure timeline
You can also report vulnerabilities through GitHub Security Advisories:
- Go to the Security tab
- Click "Report a vulnerability"
- Fill out the advisory form
| Version | Supported | Notes |
|---|---|---|
| 1.0.x | ✅ | Current release |
| < 1.0 | ❌ | Development versions - upgrade to 1.0+ |
Argument Hiding:
- Prevents casual inspection of command-line arguments
- Platform-specific implementations (prctl, setproctitle)
- Mitigates information disclosure via process listing
Process Masquerading:
- Allows operation with non-suspicious process names
- Multiple preset identities for common scenarios
- Reduces likelihood of automated detection
What Conduit DOES NOT protect against:
| Detection Method | Protected | Notes |
|---|---|---|
ps, top, htop |
✅ | Hidden |
/proc/<pid>/cmdline |
✅ | Hidden |
/proc/<pid>/environ |
Visible | |
System call tracing (strace) |
❌ | Fully visible |
| Network monitoring | ❌ | Traffic is not encrypted by default |
| Kernel security modules | ❌ | May detect process manipulation |
| EDR/XDR solutions | ❌ | Advanced monitoring may detect |
| Memory forensics | ❌ | Arguments recoverable from memory |
Important: Conduit is designed for authorized testing where some level of monitoring is expected. It is not a tool for evading sophisticated monitoring in unauthorized contexts.
In Scope:
- Hiding from basic system monitoring tools
- Reducing process listing footprint
- Authorized testing with known monitoring
Out of Scope:
- Evading advanced EDR/XDR systems
- Anti-forensics or evidence destruction
- Defeating kernel-level security modules
- Sophisticated network traffic analysis evasion
If you are a defender, you can detect Conduit by:
- Monitoring for process name changes (prctl syscalls)
- Network traffic analysis (relay patterns)
- System call tracing (strace, dtrace, eBPF)
- Memory inspection (argv recovery)
- File integrity monitoring (unauthorized binaries)
- Behavioral analysis (unusual network connections)
When downloading pre-built binaries:
- Verify GPG signatures (when available)
- Compare checksums against published hashes
- Build from source for maximum assurance
When building from source:
# Verify git commit signatures
git log --show-signature
# Review code before building
grep -r "system\|exec\|eval" .
# Build with debug symbols for analysis
make CFLAGS="-Wall -g -O0"- Source Code: Hosted on GitHub with commit signing
- Base: Built on SOCAT 1.7.3.3 (well-established project)
- Dependencies: Minimal (OpenSSL, readline - both optional)
- Build Process: Standard make + autoconf (no npm/pip dependencies)
Before deployment:
- ✅ Obtain explicit written authorization
- ✅ Document scope and limitations
- ✅ Understand monitoring in target environment
- ✅ Plan for detection and response
- ✅ Establish communication channels
During operation:
- ✅ Operate only within authorized scope
- ✅ Maintain audit logs of activities
- ✅ Monitor for unexpected behavior
- ✅ Be prepared to explain presence to defenders
- ✅ Coordinate with blue team (if applicable)
After operation:
- ✅ Remove all deployed binaries
- ✅ Document activities performed
- ✅ Report findings to system owners
- ✅ Verify cleanup with defenders
- ✅ Update authorization documentation
Conduit does not store credentials, but when using with authentication:
- Never hardcode credentials in command lines
- Use environment variables or config files with restricted permissions
- Rotate credentials after testing
- Securely delete credentials from memory after use
During authorized testing:
- Immediately contact the system owner
- Provide authorization documentation
- Explain the testing activity
- Coordinate with security team
- Document the detection method
If used without authorization (by others):
- Treat as a security incident
- Collect evidence (process details, network connections)
- Isolate affected systems if necessary
- Review authorization documentation
- Report to appropriate authorities
- Vulnerability Reports: Use GitHub Security Advisories
- General Security Questions: Open a GitHub Discussion
- Responsible Disclosure: Follow 90-day timeline
- Legal/Compliance: Contact repository maintainers
Conduit is licensed under GPLv2 with OpenSSL exception.
THIS SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND.
THE AUTHORS ARE NOT LIABLE FOR ANY DAMAGES ARISING FROM USE.
By using Conduit, you accept:
- All security limitations described in this document
- Full responsibility for authorized and lawful use
- Liability for any misuse or unauthorized deployment
- The terms of the GNU General Public License version 2
- Computer Fraud and Abuse Act (CFAA)
- OWASP Penetration Testing Methodologies
- NIST Cybersecurity Framework
- Original SOCAT Security
Last Updated: 2026-04-03
Version: 1.0.0