| Version | Supported |
|---|---|
| latest | ✅ |
Please do NOT open a public issue for security vulnerabilities.
If you discover a security vulnerability in Maya, please report it responsibly:
- Email: Send details to the maintainers (add your security contact email here)
- GitHub Security Advisories: Use the private vulnerability reporting feature
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if any)
- Acknowledgment: Within 48 hours
- Triage: Within 1 week
- Fix: Depends on severity — critical issues are prioritized immediately
Maya is a security testing tool. Vulnerabilities in the tool itself (e.g., sandbox escapes, command injection in tool execution, credential leakage) are in scope. Issues in third-party tools installed inside the Docker sandbox (Frida, Nuclei, etc.) should be reported to their respective projects.
- All dangerous tool execution happens inside Docker sandboxes
- No credentials are stored in code — env vars or config files only
- CodeQL analysis runs on every PR
- Dependencies are monitored via Dependabot