From caf4cf61c13da26d0f335a80fd4b98d386f2d537 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E5=85=AC=E6=98=8E?= <83812544+Ed1s0nZ@users.noreply.github.com> Date: Tue, 7 Jul 2026 14:06:29 +0800 Subject: [PATCH] Add files via upload --- README.md | 2 + README_CN.md | 2 + SECURITY.md | 151 +++++++++++++++++++++++++++++++++++++++++++++++++++ 3 files changed, 155 insertions(+) create mode 100644 SECURITY.md diff --git a/README.md b/README.md index 55931b53..ef1f3ac6 100644 --- a/README.md +++ b/README.md @@ -719,6 +719,8 @@ CyberStrikeAI is a professional security testing platform designed to assist sec **The developers are not responsible for any misuse!** Please ensure your usage complies with local laws and regulations, and that you have obtained explicit authorization from the target system owner. +For vulnerability reporting and deployment hardening guidance, see [SECURITY.md](SECURITY.md). + --- Need help or want to contribute? Open an issue or PR—community tooling additions are welcome! diff --git a/README_CN.md b/README_CN.md index 2e965df7..c43dec9d 100644 --- a/README_CN.md +++ b/README_CN.md @@ -715,6 +715,8 @@ CyberStrikeAI 是一个专业的安全测试平台,旨在帮助安全研究人 **开发者不对任何滥用行为负责!** 请确保您的使用符合当地法律法规,并获得目标系统所有者的明确授权。 +安全问题报告与部署加固建议见 [SECURITY.md](SECURITY.md)。 + --- 欢迎提交 Issue/PR 贡献新的工具模版或优化建议! diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 00000000..8f0b2d68 --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,151 @@ +# Security Policy + +[中文](#安全政策) | [English](#security-policy) + +## Security Policy + +CyberStrikeAI is a security testing and automation platform. It can execute tools, call MCP servers, manage WebShell connections, and optionally run C2 workflows. Please treat every deployment as a high-privilege security system. + +### Supported Versions + +This project does not currently maintain multiple long-term support branches. Security fixes are expected to land on the latest mainline release/source tree. + +If you are running an older version, please reproduce the issue against the latest code before reporting when possible. + +### Reporting a Vulnerability + +Please do not publicly disclose exploitable details before maintainers have had a reasonable chance to investigate. + +Preferred report contents: + +- affected version or commit; +- deployment mode and relevant configuration; +- clear reproduction steps; +- impact assessment; +- affected component, such as auth, MCP, tool execution, WebShell, C2, knowledge base, frontend, or API; +- whether the issue requires authentication; +- suggested mitigation, if known. + +If the project repository has private vulnerability reporting enabled, use that channel. Otherwise, open a minimal public issue that states there is a security concern and avoid posting exploit details, credentials, target data, or weaponized payloads. + +### Scope + +In scope: + +- authentication and session handling issues; +- authorization bypass in protected APIs; +- unsafe command execution behavior; +- unintended file read/write through tools or Skills; +- external MCP trust-boundary flaws; +- WebShell or C2 management vulnerabilities; +- sensitive data leakage from logs, audit records, uploads, or APIs; +- cross-site scripting or frontend injection in the Web UI; +- security-impacting configuration handling bugs. + +Out of scope: + +- reports against systems you do not own or are not authorized to test; +- denial-of-service testing against public services without permission; +- social engineering, phishing, or credential theft; +- issues caused only by intentionally disabling documented security controls; +- vulnerabilities in third-party tools invoked by CyberStrikeAI, unless CyberStrikeAI makes them materially worse. + +### Authorized Use Boundary + +CyberStrikeAI must only be used for education, research, and authorized security testing. Do not use it against systems without explicit permission. + +High-risk capabilities such as Shell execution, WebShell management, C2, payload generation, external MCP tools, and batch scanning should be enabled only in controlled, authorized environments. + +### Deployment Hardening + +Before production use: + +- change the default password; +- use HTTPS or a trusted reverse proxy; +- restrict access by IP, VPN, or bastion; +- enable audit logging; +- keep C2 disabled unless explicitly needed; +- review external MCP servers before enabling them; +- keep high-risk tools out of global HITL allowlists; +- back up `config.yaml`, `data/`, and custom resource directories. + +See: + +- [Security Model](docs/en-US/security-model.md) +- [Security Hardening](docs/en-US/security-hardening.md) +- [Runbooks](docs/en-US/runbooks.md) + +--- + +# 安全政策 + +CyberStrikeAI 是一个安全测试与自动化平台。它可以执行工具、调用 MCP 服务、管理 WebShell 连接,并可选运行 C2 工作流。请把每个部署实例都视为高权限安全系统。 + +## 支持版本 + +本项目目前不维护多个长期支持分支。安全修复通常会合入最新主线版本或源码树。 + +如果你运行的是旧版本,建议在报告前尽量用最新代码复现问题。 + +## 漏洞报告 + +在维护者有合理时间调查前,请不要公开披露可利用细节。 + +建议报告内容: + +- 受影响版本或 commit; +- 部署方式和相关配置; +- 清晰复现步骤; +- 影响评估; +- 受影响组件,例如认证、MCP、工具执行、WebShell、C2、知识库、前端或 API; +- 是否需要登录认证; +- 已知缓解建议。 + +如果仓库启用了私有漏洞报告,请优先使用该渠道。否则可以提交一个最小公开 Issue,说明存在安全问题,但不要发布利用细节、凭证、目标数据或武器化载荷。 + +## 范围 + +范围内: + +- 认证和会话处理问题; +- 受保护 API 的授权绕过; +- 不安全的命令执行行为; +- 通过工具或 Skills 意外读写文件; +- 外部 MCP 信任边界问题; +- WebShell 或 C2 管理漏洞; +- 日志、审计、上传文件或 API 泄露敏感数据; +- Web UI 的 XSS 或前端注入; +- 影响安全的配置处理缺陷。 + +范围外: + +- 针对未授权系统的报告; +- 未经许可的拒绝服务测试; +- 社工、钓鱼或凭证窃取; +- 仅因主动关闭文档化安全控制导致的问题; +- 第三方工具自身漏洞,除非 CyberStrikeAI 明显放大了风险。 + +## 授权使用边界 + +CyberStrikeAI 仅可用于教育、研究和授权安全测试。不要在没有明确授权的系统上使用。 + +Shell 执行、WebShell 管理、C2、payload 生成、外部 MCP 工具、批量扫描等高风险能力,只应在受控且授权明确的环境中启用。 + +## 部署加固 + +生产使用前: + +- 修改默认密码; +- 使用 HTTPS 或可信反向代理; +- 通过 IP、VPN 或堡垒机限制访问; +- 开启审计日志; +- 不需要 C2 时保持关闭; +- 启用外部 MCP 前进行审查; +- 高风险工具不要加入全局 HITL 白名单; +- 备份 `config.yaml`、`data/` 和自定义资源目录。 + +参见: + +- [安全模型](docs/zh-CN/security-model.md) +- [安全加固指南](docs/zh-CN/security-hardening.md) +- [运维 Runbooks](docs/zh-CN/runbooks.md)