-
Notifications
You must be signed in to change notification settings - Fork 0
Security
mendsec edited this page Jun 23, 2026
·
1 revision
Only the latest release receives security updates.
| Version | Supported |
|---|---|
| v0.2.x | ✅ Supported |
| v0.1.x | ❌ Upgrade required |
Do not open public GitHub issues for security vulnerabilities.
Contact the maintainer privately via the same channels used for catnet-core. The security policies apply identically across the entire CatNet ecosystem.
- Response target: 72 hours
- Escalation: If no response within 7 days, use GitHub private vulnerability reporting (Security → Report a vulnerability).
- catnet has three production dependencies: catnet-core, Cobra, and pflag.
- catnet itself has zero transitive dependencies beyond Cobra and pflag.
- catnet-core has zero external dependencies.
-
govulncheckruns weekly in CI on catnet-core.
- All IP targets are validated through catnet-core's
ValidateIPv4before any network operation. - CIDRs are limited to a
/16maximum (65,536 hosts) to prevent accidental OOM.
The exporter sanitises fields starting with formula-trigger characters (=, +, -, @, \t, \r) per OWASP CSV Injection guidance.
ICMP ping requires raw socket access on most OS configurations:
| OS | Requirement |
|---|---|
| Linux | Root, or grant CAP_NET_RAW capability |
| macOS | Root, or setuid-root binary |
| Windows | Standard user may be sufficient depending on UAC configuration |
catnet performs active network scanning. Always obtain written authorisation before scanning networks you do not own.
© 2026 Fábio Mendes · MIT License · catnet · catnet-core · Report an issue
catnet Wiki
Getting Started
Reference
Guides
Project