added privacy

PRIVACY.md

@@ -0,0 +1,250 @@
+# Privacy Policy
+
+**AASRT (AI Agent Security Reconnaissance Tool)**  
+**Effective Date:** February 2025  
+**Version:** 1.0.0
+
+---
+
+## Overview
+
+AASRT is an open-source security reconnaissance tool designed for security researchers, bug bounty hunters, and DevSecOps teams. This privacy policy explains how AASRT handles data during operation.
+
+**Key Principle:** AASRT is a local tool. All scan data is stored on your machine. We do not operate servers that collect your data.
+
+---
+
+## 1. Data Collection
+
+### What AASRT Collects During Scans
+
+| Data Type | Description | Source |
+|-----------|-------------|--------|
+| **IP Addresses** | Public IP addresses of discovered hosts | Shodan API |
+| **Port Information** | Open ports and service banners | Shodan API |
+| **Vulnerability Findings** | Identified security issues and risk scores | AASRT analysis |
+| **Host Metadata** | Hostnames, organizations, geographic location | Shodan API |
+| **Scan Metadata** | Timestamps, query used, scan duration | AASRT |
+
+### What AASRT Does NOT Collect
+
+- ❌ Personal information beyond publicly indexed data
+- ❌ Your Shodan API key (never logged or transmitted)
+- ❌ Authentication credentials found in scans (redacted in logs)
+- ❌ Analytics or telemetry about your usage
+- ❌ Any data sent to AASRT developers or third parties
+
+---
+
+## 2. Data Storage
+
+### Local Database
+
+All scan data is stored locally in a SQLite database:
+
+```
+data/scanner.db
+```
+
+**You have complete control over this data.** It never leaves your machine unless you explicitly export and share it.
+
+### Data Retention
+
+| Data Type | Default Retention | Configurable |
+|-----------|-------------------|--------------|
+| Scan Results | 90 days | Yes |
+| Audit Logs | 1 year | Yes |
+| Error Logs | 30 days | Yes |
+
+### Data Deletion
+
+You can delete your data at any time:
+
+- **Delete individual scans:** Use the CLI or dashboard to remove specific scans
+- **Bulk cleanup:** Run `cleanup_old_data(days=N)` to remove scans older than N days
+- **Complete deletion:** Delete the `data/scanner.db` file
+
+---
+
+## 3. Third-Party Services
+
+### Shodan API
+
+AASRT uses the [Shodan API](https://www.shodan.io/) to discover publicly indexed hosts. When you run a scan:
+
+- Your query is sent to Shodan's servers
+- Shodan returns publicly indexed information
+- Shodan's [Privacy Policy](https://www.shodan.io/privacy) and [Terms of Service](https://www.shodan.io/terms) apply
+
+**Important:** Shodan only indexes publicly accessible information. AASRT does not perform active scanning—it queries Shodan's existing database of internet-wide scans.
+
+### ClawSec Advisory Feed
+
+AASRT optionally fetches security advisories from ClawSec for threat enrichment. This is a public feed and does not transmit your scan data.
+
+---
+
+## 4. API Key Security
+
+Your Shodan API key is handled with care:
+
+| Security Measure | Implementation |
+|------------------|----------------|
+| **Storage** | Environment variable (`SHODAN_API_KEY`) - never in code |
+| **Logging** | Never logged - automatically redacted |
+| **Transmission** | HTTPS only to Shodan API |
+| **Visibility** | Masked in dashboard and CLI output |
+
+### Automatic Redaction
+
+AASRT automatically redacts sensitive patterns in logs and output:
+
+- Anthropic API keys (`sk-ant-***`)
+- OpenAI API keys (`sk-***`)
+- AWS credentials (`AKIA***`)
+- GitHub tokens (`ghp_***`)
+- Shodan API keys (`***REDACTED_KEY***`)
+- Passwords and secrets
+
+---
+
+## 5. Personal Data & Compliance
+
+### No PII Collection
+
+AASRT does not collect personal information beyond what is already publicly indexed by Shodan. The tool discovers:
+
+- Publicly exposed servers and services
+- Misconfigured AI agent deployments
+- Information already visible to anyone on the internet
+
+### Anonymization Options
+
+When generating reports, you can anonymize findings:
+
+- Mask IP address octets (e.g., `192.168.1.xxx`)
+- Remove organization names
+- Redact hostnames
+
+Configure via `anonymize_by_default: true` in `config.yaml`.
+
+### Regulatory Alignment
+
+AASRT is designed with the following regulations in mind:
+
+| Regulation | Consideration |
+|------------|---------------|
+| **GDPR (EU)** | Right to delete data; no PII collection; local storage only |
+| **CFAA (US)** | Passive reconnaissance only; no unauthorized access |
+| **Computer Misuse Act (UK)** | No active exploitation; queries public databases only |
+
+**Note:** Compliance ultimately depends on how you use the tool. Always ensure you have authorization for security assessments.
+
+---
+
+## 6. Your Rights
+
+As the user, you have full control:
+
+| Right | How to Exercise |
+|-------|-----------------|
+| **Access** | View all scan data in the dashboard or database |
+| **Export** | Export findings to JSON/CSV at any time |
+| **Delete** | Remove individual scans or all data |
+| **Retention** | Configure how long data is kept |
+| **Portability** | SQLite database can be moved or backed up |
+
+---
+
+## 7. Logging Practices
+
+### What IS Logged (`logs/scanner.log`)
+
+- Scan start/end timestamps
+- Query names and types (not the full query)
+- Number of results found
+- Errors and warnings
+- Database operations (create, update, delete)
+
+### What is NOT Logged
+
+- ❌ API keys or credentials
+- ❌ Full Shodan API responses
+- ❌ Detailed vulnerability exploitation paths
+- ❌ User identity or system information
+
+### Log Configuration
+
+```yaml
+# config.yaml
+logging:
+  level: INFO          # DEBUG, INFO, WARNING, ERROR
+  file: ./logs/scanner.log
+  max_size_mb: 100     # Rotate at 100MB
+  backup_count: 5      # Keep 5 backup files
+```
+
+---
+
+## 8. Report Sharing Considerations
+
+When you export and share scan reports (JSON/CSV), consider:
+
+### Before Sharing
+
+✅ **Do:**
+- Review findings for sensitive information
+- Use anonymization options for public reports
+- Redact organization names if not authorized
+- Follow responsible disclosure practices
+
+❌ **Don't:**
+- Share reports containing unexploited vulnerabilities publicly
+- Include API keys or credentials found in scans
+- Distribute findings without authorization
+
+### Responsible Disclosure
+
+If you discover vulnerabilities in third-party systems:
+
+1. Attempt to contact the affected organization
+2. Allow 90 days for remediation before public disclosure
+3. Anonymize sensitive details in public reports
+4. Consider coordinating with CERTs for critical findings
+
+---
+
+## 9. Legal Disclaimer
+
+AASRT is a **passive reconnaissance tool** that queries publicly available data. However:
+
+- **You are responsible** for ensuring your use complies with applicable laws
+- **Authorization is required** for security assessments of systems you don't own
+- **This tool is provided "as-is"** without warranty of any kind
+- **The developers are not liable** for misuse or illegal activity
+
+See the full [LICENSE](LICENSE) and legal disclaimers in the [README](README.md).
+
+---
+
+## 10. Policy Updates
+
+This privacy policy may be updated as the tool evolves. Changes will be:
+
+- Documented in the repository's commit history
+- Noted in release notes for significant changes
+- Effective immediately upon commit
+
+---
+
+## Contact
+
+For privacy-related questions or concerns:
+
+- **GitHub Issues:** [github.com/0xsrb/AASRT/issues](https://github.com/0xsrb/AASRT/issues)
+- **Repository:** [github.com/0xsrb/AASRT](https://github.com/0xsrb/AASRT)
+
+---
+
+*This privacy policy is designed for an open-source security tool and may not cover all legal requirements in your jurisdiction. Consult legal counsel if needed.*
+