netadmin/GDPRScanner
1
0
Fork 0
Code Issues Pull Requests Actions 2 Packages Projects Releases Wiki Activity
GDPRScanner/SECURITY.md
StyxX65 c26dd7d320 Add Zoraxy HTTPS setup guide, correct SECURITY.md bind address 
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
2026-06-11 15:20:33 +02:00

2.6 KiB
Raw Blame History

Security Policy

Supported Versions

Version Supported
Latest Yes

We support only the latest release. Please update before reporting a bug.

Reporting a Vulnerability

Please do not file a public GitHub issue for security vulnerabilities.

This tool processes sensitive personal data including Danish CPR numbers (national identifiers). Security issues should be reported privately so a fix can be prepared before public disclosure.

Report to: Open a GitHub Security Advisory (Settings → Security → Advisories → New draft advisory)

Please include:

  • A description of the vulnerability and its potential impact
  • Steps to reproduce the issue
  • Any relevant logs or screenshots (redact personal data)
  • Your suggested fix if you have one

We will acknowledge receipt within 3 business days and aim to release a fix within 14 days for critical issues.

Scope

Issues we consider in scope:

  • Authentication bypass or token leakage in the M365 connector
  • Unauthorised access to scan results via the web UI
  • CPR numbers or other personal data exposed in logs, error messages, or API responses
  • SQL injection or path traversal in the local scanner or database layer
  • SSRF (Server-Side Request Forgery) via URL inputs
  • Dependency vulnerabilities with a known exploit path

Out of scope:

  • Issues requiring physical access to the machine running the scanner
  • Vulnerabilities in Microsoft Graph API itself (report to Microsoft MSRC)
  • Social engineering attacks

Data Handling Notes for Security Researchers

  • CPR numbers are stored in the SQLite database as SHA-256 hashes only — never in plaintext
  • SMTP passwords are stored in ~/.gdprscanner/smtp.json with chmod 600
  • Microsoft OAuth tokens are stored in the MSAL token cache in ~/.gdprscanner/token.json
  • Scan results are stored locally in ~/.gdprscanner/scanner.db — never transmitted externally
  • The web UI binds to 0.0.0.0 by default so reviewers on the LAN can reach it — it is not designed to be exposed to the internet. For encrypted transport, put it behind a TLS-terminating reverse proxy and bind the app to loopback with --host 127.0.0.1 — see docs/setup/ZORAXY_SETUP.md

Dependency Security

This project uses Python dependencies listed in requirements.txt. We recommend running pip audit or safety check periodically to identify known CVEs in dependencies.

pip install pip-audit
pip-audit -r requirements.txt