From 1adf42165e927e061230d63d9f9e30505d4b32b3 Mon Sep 17 00:00:00 2001 From: Stalin <161853795+Stalin-143@users.noreply.github.com> Date: Mon, 23 Mar 2026 21:28:38 +0530 Subject: [PATCH] Update SECURITY.md --- SECURITY.md | 190 ++++++++-------------------------------------------- 1 file changed, 29 insertions(+), 161 deletions(-) diff --git a/SECURITY.md b/SECURITY.md index d9626fb..1ed575d 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -1,168 +1,36 @@ -# SECURITY POLICY +# 🔐 Security Policy -## Reporting Security Vulnerabilities +## 📬 Reporting a Vulnerability -**DO NOT** open a public GitHub issue for security vulnerabilities. +If you discover a security issue, please report it via: -### Responsible Disclosure +- GitHub Security Advisory (preferred) -If you discover a security vulnerability in BurpAI, please report it privately by: - -1. **Email:** Send details to the maintainers (check repository for contact info) -2. **Include:** - - Description of the vulnerability - - Steps to reproduce - - Potential impact - - Suggested fix (if applicable) - - Your contact information - -### Timeline - -- **Immediate:** Acknowledge receipt of your report -- **24-48 hours:** Initial assessment -- **7 days:** Targeted fix or timeline provided -- **30 days:** Security update release with fix -- **Public disclosure:** After 30 days or when patch is available - -## Security Considerations - -### API Key Security - -- **Never commit API keys** to version control -- Store keys in `~/.burpaai/config.json` (user home directory) -- Use environment variables when possible -- Rotate keys regularly -- Use separate keys for production and testing - -### HTTPS Only - -- All API calls use HTTPS for encryption in transit -- Certificate validation is enforced -- Man-in-the-middle attacks are mitigated - -### Request Handling - -- Incoming requests are validated before processing -- User input is sanitized to prevent injection attacks -- No arbitrary code execution -- Memory-safe operations - -### Data Privacy - -- Chat history stored locally only (on user's machine) -- No telemetry or tracking -- No data sent except to configured AI APIs -- User controls what gets analyzed - -## Known Limitations - -### Current Security Model - -1. **Local Storage:** Chat history stored in plaintext locally - - Mitigated by: Stored in user's home directory with restricted permissions - -2. **API Keys in Memory:** Keys held in RAM while extension runs - - Mitigated by: Keys cleared on extension reload; stored encrypted when possible - -3. **Jython Compatibility:** Uses Jython 2.7 with older dependencies - - Mitigated by: Regular security audits; sandboxed in Burp Suite - -### Recommended Practices - -- Run Burp Suite with minimal privileges -- Don't use BurpAI on untrusted systems -- Keep Burp Suite and Java updated -- Monitor API usage and costs -- Review AI-generated recommendations independently - -## Dependencies Security - -All dependencies are tracked and monitored: - -- **Burp Suite API:** Official, maintained by PortSwigger -- **Java/Swing:** Built into Java Runtime Environment -- **Python libraries:** Listed in requirements.txt -- **Third-party APIs:** User-provided credentials only - -### Dependency Updates - -- We regularly review and update dependencies -- Security patches applied immediately -- Major updates tested before release - -## Incident Response - -### If a Vulnerability is Found - -1. **Assess severity:** Critical → Emergency patch; High/Medium → Next release; Low → Future release -2. **Develop fix:** Minimal, focused fix with no feature additions -3. **Test thoroughly:** Reproduction test + regression tests -4. **Release:** New version with security advisory -5. **Communicate:** Announce fix through GitHub, changelog, security advisory - -## Security Best Practices for Users - -### Setup -- [ ] Use a dedicated API key for BurpAI -- [ ] Enable two-factor authentication on API provider account -- [ ] Store config file with restricted permissions (chmod 600) -- [ ] Keep Burp Suite updated -- [ ] Keep Java updated - -### Usage -- [ ] Don't analyze production requests through untrusted networks -- [ ] Review all AI-generated recommendations -- [ ] Monitor API usage for unusual activity -- [ ] Rotate API keys regularly -- [ ] Clear chat history periodically - -### Infrastructure -- [ ] Run on trusted systems only -- [ ] Use firewall to restrict network access -- [ ] Monitor system logs for unauthorized access -- [ ] Keep antivirus/antimalware up to date - -## Security Headers - -BurpAI respects: -- Content-Security-Policy -- X-Content-Type-Options -- X-Frame-Options -- Strict-Transport-Security (via HTTPS) - -## Version History & Patches - -| Version | Date | Security Issues | Status | -|---------|------|-----------------|--------| -| 1.0 | March 23, 2026 | None known | Current | - -## Compliance - -BurpAI follows: -- OWASP Top 10 guidelines -- CWE/SANS recommendations -- Secure coding practices -- Data privacy principles - -## Frequently Asked Questions - -**Q: Is my AI API key stored securely?** -A: Keys are stored in user home directory with restricted permissions. Consider them sensitive - treat like passwords. - -**Q: Can BurpAI access my local file system?** -A: No, it only has access to HTTP requests through Burp Suite. - -**Q: What data is sent to AI APIs?** -A: Only request/response data you explicitly send for analysis. - -**Q: Is the extension audited by security professionals?** -A: Not formally, but the code is open-source and subject to community review. - -**Q: What if I find a security issue?** -A: Please report privately using the process above. We appreciate responsible disclosure. +Do not open public issues for vulnerabilities. --- -**Last Updated:** March 23, 2026 -**Current Version:** 1.0 -**Status:** Active - Security reports welcome +## 📌 Scope + +In scope: +- Security vulnerabilities in the application or extension +- Data leaks, auth issues, or unsafe request handling +- AI-related issues (prompt injection, misuse, data exposure) + +Out of scope: +- Theoretical issues without proof +- Third-party services + +--- + +## ⚠️ Guidelines + +- Provide clear steps to reproduce +- Include proof-of-concept if possible +- Do not publicly disclose before a fix + +--- + +## 🛡️ Note + +This project is intended for ethical and defensive security research only.