Add files via upload

This commit is contained in:
公明
2026-07-07 14:06:29 +08:00
committed by GitHub
parent 00802a275c
commit caf4cf61c1
3 changed files with 155 additions and 0 deletions
+2
View File
@@ -719,6 +719,8 @@ CyberStrikeAI is a professional security testing platform designed to assist sec
**The developers are not responsible for any misuse!** Please ensure your usage complies with local laws and regulations, and that you have obtained explicit authorization from the target system owner.
For vulnerability reporting and deployment hardening guidance, see [SECURITY.md](SECURITY.md).
---
Need help or want to contribute? Open an issue or PR—community tooling additions are welcome!
+2
View File
@@ -715,6 +715,8 @@ CyberStrikeAI 是一个专业的安全测试平台,旨在帮助安全研究人
**开发者不对任何滥用行为负责!** 请确保您的使用符合当地法律法规,并获得目标系统所有者的明确授权。
安全问题报告与部署加固建议见 [SECURITY.md](SECURITY.md)。
---
欢迎提交 Issue/PR 贡献新的工具模版或优化建议!
+151
View File
@@ -0,0 +1,151 @@
# Security Policy
[中文](#安全政策) | [English](#security-policy)
## Security Policy
CyberStrikeAI is a security testing and automation platform. It can execute tools, call MCP servers, manage WebShell connections, and optionally run C2 workflows. Please treat every deployment as a high-privilege security system.
### Supported Versions
This project does not currently maintain multiple long-term support branches. Security fixes are expected to land on the latest mainline release/source tree.
If you are running an older version, please reproduce the issue against the latest code before reporting when possible.
### Reporting a Vulnerability
Please do not publicly disclose exploitable details before maintainers have had a reasonable chance to investigate.
Preferred report contents:
- affected version or commit;
- deployment mode and relevant configuration;
- clear reproduction steps;
- impact assessment;
- affected component, such as auth, MCP, tool execution, WebShell, C2, knowledge base, frontend, or API;
- whether the issue requires authentication;
- suggested mitigation, if known.
If the project repository has private vulnerability reporting enabled, use that channel. Otherwise, open a minimal public issue that states there is a security concern and avoid posting exploit details, credentials, target data, or weaponized payloads.
### Scope
In scope:
- authentication and session handling issues;
- authorization bypass in protected APIs;
- unsafe command execution behavior;
- unintended file read/write through tools or Skills;
- external MCP trust-boundary flaws;
- WebShell or C2 management vulnerabilities;
- sensitive data leakage from logs, audit records, uploads, or APIs;
- cross-site scripting or frontend injection in the Web UI;
- security-impacting configuration handling bugs.
Out of scope:
- reports against systems you do not own or are not authorized to test;
- denial-of-service testing against public services without permission;
- social engineering, phishing, or credential theft;
- issues caused only by intentionally disabling documented security controls;
- vulnerabilities in third-party tools invoked by CyberStrikeAI, unless CyberStrikeAI makes them materially worse.
### Authorized Use Boundary
CyberStrikeAI must only be used for education, research, and authorized security testing. Do not use it against systems without explicit permission.
High-risk capabilities such as Shell execution, WebShell management, C2, payload generation, external MCP tools, and batch scanning should be enabled only in controlled, authorized environments.
### Deployment Hardening
Before production use:
- change the default password;
- use HTTPS or a trusted reverse proxy;
- restrict access by IP, VPN, or bastion;
- enable audit logging;
- keep C2 disabled unless explicitly needed;
- review external MCP servers before enabling them;
- keep high-risk tools out of global HITL allowlists;
- back up `config.yaml`, `data/`, and custom resource directories.
See:
- [Security Model](docs/en-US/security-model.md)
- [Security Hardening](docs/en-US/security-hardening.md)
- [Runbooks](docs/en-US/runbooks.md)
---
# 安全政策
CyberStrikeAI 是一个安全测试与自动化平台。它可以执行工具、调用 MCP 服务、管理 WebShell 连接,并可选运行 C2 工作流。请把每个部署实例都视为高权限安全系统。
## 支持版本
本项目目前不维护多个长期支持分支。安全修复通常会合入最新主线版本或源码树。
如果你运行的是旧版本,建议在报告前尽量用最新代码复现问题。
## 漏洞报告
在维护者有合理时间调查前,请不要公开披露可利用细节。
建议报告内容:
- 受影响版本或 commit
- 部署方式和相关配置;
- 清晰复现步骤;
- 影响评估;
- 受影响组件,例如认证、MCP、工具执行、WebShell、C2、知识库、前端或 API;
- 是否需要登录认证;
- 已知缓解建议。
如果仓库启用了私有漏洞报告,请优先使用该渠道。否则可以提交一个最小公开 Issue,说明存在安全问题,但不要发布利用细节、凭证、目标数据或武器化载荷。
## 范围
范围内:
- 认证和会话处理问题;
- 受保护 API 的授权绕过;
- 不安全的命令执行行为;
- 通过工具或 Skills 意外读写文件;
- 外部 MCP 信任边界问题;
- WebShell 或 C2 管理漏洞;
- 日志、审计、上传文件或 API 泄露敏感数据;
- Web UI 的 XSS 或前端注入;
- 影响安全的配置处理缺陷。
范围外:
- 针对未授权系统的报告;
- 未经许可的拒绝服务测试;
- 社工、钓鱼或凭证窃取;
- 仅因主动关闭文档化安全控制导致的问题;
- 第三方工具自身漏洞,除非 CyberStrikeAI 明显放大了风险。
## 授权使用边界
CyberStrikeAI 仅可用于教育、研究和授权安全测试。不要在没有明确授权的系统上使用。
Shell 执行、WebShell 管理、C2、payload 生成、外部 MCP 工具、批量扫描等高风险能力,只应在受控且授权明确的环境中启用。
## 部署加固
生产使用前:
- 修改默认密码;
- 使用 HTTPS 或可信反向代理;
- 通过 IP、VPN 或堡垒机限制访问;
- 开启审计日志;
- 不需要 C2 时保持关闭;
- 启用外部 MCP 前进行审查;
- 高风险工具不要加入全局 HITL 白名单;
- 备份 `config.yaml``data/` 和自定义资源目录。
参见:
- [安全模型](docs/zh-CN/security-model.md)
- [安全加固指南](docs/zh-CN/security-hardening.md)
- [运维 Runbooks](docs/zh-CN/runbooks.md)