Please report security vulnerabilities privately through GitHub's built-in Private Vulnerability Reporting:

1. Go to the repository's Security tab.
2. Click Report a vulnerability and fill out the advisory form.

If private reporting is unavailable for some reason, email contactmukundthiru@gmail.com with:

• Affected version / commit SHA
• Reproduction steps and proof-of-concept (where safe to share)
• Impact assessment

You will receive an acknowledgement within 5 business days. Coordinated-disclosure timeline is up to 90 days from acknowledgement; we will notify you before the patch ships.

Only the main branch (and the latest published crate / package release) receives security fixes. Vendored snapshots and forks are responsible for backporting.

• Findings against archived branches or deprecated tags.
• Self-XSS or social-engineering attacks against maintainers.
• Reports that depend on a compromised upstream package without a reproducible downstream impact.

GHSA advisories are filed under the appropriate Santh GitHub organization. We coordinate CVE assignment via GitHub's CNA when a fix ships.

wafrift is dual-use security research software. It implements WAF evasion techniques that, executed against systems you do not own or have written authorisation to test, may violate computer-misuse law (CFAA in the United States, Computer Misuse Act in the United Kingdom, StGB §202c in Germany, equivalent statutes in other jurisdictions).

By downloading, building, installing, or running wafrift you agree that:

1. Authorisation is yours alone. You will only run wafrift against systems you own, operate, or have explicit written authorisation to test — bug-bounty scope, signed penetration-test agreement, CTF competition rules, or lab infrastructure under your control. You are responsible for verifying that authorisation before each engagement.
2. Legal responsibility transfers to the operator. The Santh Security maintainers, contributors, and the project itself accept no liability for traffic generated by, damages caused by, or legal exposure resulting from your use of the tool.
3. Unauthorised use is out of scope of any support. We will not help users bypass WAFs protecting systems they have no authorisation to interact with, including third-party SaaS, public web applications, or production infrastructure of organisations they do not represent.

The maintainers reserve the right to refuse support, contributions, or affiliation with users who demonstrate a pattern of unlawful use or who solicit help with attacks against unauthorised targets. Credible reports of misuse may be forwarded to the affected organisation's abuse@ / legal contact.

If you believe you have found wafrift being used against a system you operate without authorisation, contact contactmukundthiru@gmail.com with the request fingerprint (User-Agent, source IP, timestamp) and we will assist with attribution where possible.