If you discover a security vulnerability in Counterscarp Engine, please report it responsibly.

Do NOT open a public GitHub issue for security vulnerabilities.

Instead, please email us at: contact@counterscarp.io

• Description of the vulnerability
• Steps to reproduce
• Potential impact
• Suggested fix (if any)

• Acknowledgment: Within 48 hours
• Initial Assessment: Within 5 business days
• Fix Timeline: Depends on severity
  • Critical: 24-72 hours
  • High: 1-2 weeks
  • Medium/Low: Next release cycle

The following are in scope:

• Counterscarp Engine core analyzers and scanning logic
• License validation and key management
• Web application (app.counterscarp.io)
• CLI tools and report generation

The following are out of scope:

• Third-party dependencies (report to the respective maintainer)
• Social engineering attacks
• Denial of service attacks

We appreciate responsible disclosure and will credit reporters in our release notes (unless they prefer to remain anonymous).