swethab
7.3 KiB
Privacy Policy
AASRT (AI Agent Security Reconnaissance Tool)
Effective Date: February 2025
Version: 1.0.0
Overview
AASRT is an open-source security reconnaissance tool designed for security researchers, bug bounty hunters, and DevSecOps teams. This privacy policy explains how AASRT handles data during operation.
Key Principle: AASRT is a local tool. All scan data is stored on your machine. We do not operate servers that collect your data.
1. Data Collection
What AASRT Collects During Scans
| Data Type | Description | Source |
|---|---|---|
| IP Addresses | Public IP addresses of discovered hosts | Shodan API |
| Port Information | Open ports and service banners | Shodan API |
| Vulnerability Findings | Identified security issues and risk scores | AASRT analysis |
| Host Metadata | Hostnames, organizations, geographic location | Shodan API |
| Scan Metadata | Timestamps, query used, scan duration | AASRT |
What AASRT Does NOT Collect
- ❌ Personal information beyond publicly indexed data
- ❌ Your Shodan API key (never logged or transmitted)
- ❌ Authentication credentials found in scans (redacted in logs)
- ❌ Analytics or telemetry about your usage
- ❌ Any data sent to AASRT developers or third parties
2. Data Storage
Local Database
All scan data is stored locally in a SQLite database:
data/scanner.db
You have complete control over this data. It never leaves your machine unless you explicitly export and share it.
Data Retention
| Data Type | Default Retention | Configurable |
|---|---|---|
| Scan Results | 90 days | Yes |
| Audit Logs | 1 year | Yes |
| Error Logs | 30 days | Yes |
Data Deletion
You can delete your data at any time:
- Delete individual scans: Use the CLI or dashboard to remove specific scans
- Bulk cleanup: Run
cleanup_old_data(days=N)to remove scans older than N days - Complete deletion: Delete the
data/scanner.dbfile
3. Third-Party Services
Shodan API
AASRT uses the Shodan API to discover publicly indexed hosts. When you run a scan:
- Your query is sent to Shodan's servers
- Shodan returns publicly indexed information
- Shodan's Privacy Policy and Terms of Service apply
Important: Shodan only indexes publicly accessible information. AASRT does not perform active scanning—it queries Shodan's existing database of internet-wide scans.
ClawSec Advisory Feed
AASRT optionally fetches security advisories from ClawSec for threat enrichment. This is a public feed and does not transmit your scan data.
4. API Key Security
Your Shodan API key is handled with care:
| Security Measure | Implementation |
|---|---|
| Storage | Environment variable (SHODAN_API_KEY) - never in code |
| Logging | Never logged - automatically redacted |
| Transmission | HTTPS only to Shodan API |
| Visibility | Masked in dashboard and CLI output |
Automatic Redaction
AASRT automatically redacts sensitive patterns in logs and output:
- Anthropic API keys (
sk-ant-***) - OpenAI API keys (
sk-***) - AWS credentials (
AKIA***) - GitHub tokens (
ghp_***) - Shodan API keys (
***REDACTED_KEY***) - Passwords and secrets
5. Personal Data & Compliance
No PII Collection
AASRT does not collect personal information beyond what is already publicly indexed by Shodan. The tool discovers:
- Publicly exposed servers and services
- Misconfigured AI agent deployments
- Information already visible to anyone on the internet
Anonymization Options
When generating reports, you can anonymize findings:
- Mask IP address octets (e.g.,
192.168.1.xxx) - Remove organization names
- Redact hostnames
Configure via anonymize_by_default: true in config.yaml.
Regulatory Alignment
AASRT is designed with the following regulations in mind:
| Regulation | Consideration |
|---|---|
| GDPR (EU) | Right to delete data; no PII collection; local storage only |
| CFAA (US) | Passive reconnaissance only; no unauthorized access |
| Computer Misuse Act (UK) | No active exploitation; queries public databases only |
Note: Compliance ultimately depends on how you use the tool. Always ensure you have authorization for security assessments.
6. Your Rights
As the user, you have full control:
| Right | How to Exercise |
|---|---|
| Access | View all scan data in the dashboard or database |
| Export | Export findings to JSON/CSV at any time |
| Delete | Remove individual scans or all data |
| Retention | Configure how long data is kept |
| Portability | SQLite database can be moved or backed up |
7. Logging Practices
What IS Logged (logs/scanner.log)
- Scan start/end timestamps
- Query names and types (not the full query)
- Number of results found
- Errors and warnings
- Database operations (create, update, delete)
What is NOT Logged
- ❌ API keys or credentials
- ❌ Full Shodan API responses
- ❌ Detailed vulnerability exploitation paths
- ❌ User identity or system information
Log Configuration
# config.yaml
logging:
level: INFO # DEBUG, INFO, WARNING, ERROR
file: ./logs/scanner.log
max_size_mb: 100 # Rotate at 100MB
backup_count: 5 # Keep 5 backup files
8. Report Sharing Considerations
When you export and share scan reports (JSON/CSV), consider:
Before Sharing
✅ Do:
- Review findings for sensitive information
- Use anonymization options for public reports
- Redact organization names if not authorized
- Follow responsible disclosure practices
❌ Don't:
- Share reports containing unexploited vulnerabilities publicly
- Include API keys or credentials found in scans
- Distribute findings without authorization
Responsible Disclosure
If you discover vulnerabilities in third-party systems:
- Attempt to contact the affected organization
- Allow 90 days for remediation before public disclosure
- Anonymize sensitive details in public reports
- Consider coordinating with CERTs for critical findings
9. Legal Disclaimer
AASRT is a passive reconnaissance tool that queries publicly available data. However:
- You are responsible for ensuring your use complies with applicable laws
- Authorization is required for security assessments of systems you don't own
- This tool is provided "as-is" without warranty of any kind
- The developers are not liable for misuse or illegal activity
See the full LICENSE and legal disclaimers in the README.
10. Policy Updates
This privacy policy may be updated as the tool evolves. Changes will be:
- Documented in the repository's commit history
- Noted in release notes for significant changes
- Effective immediately upon commit
Contact
For privacy-related questions or concerns:
- GitHub Issues: github.com/0xsrb/AASRT/issues
- Repository: github.com/0xsrb/AASRT
This privacy policy is designed for an open-source security tool and may not cover all legal requirements in your jurisdiction. Consult legal counsel if needed.