All code in this repo is provided as is without warranty of any kind, either express or implied.
If you discover a security vulnerability in CrabTrap, please report it responsibly.
Email: crabtrap+security@brex.com
- Title
- Severity Assessment
- Impact
- Affected Component
- Technical Reproduction
- Demonstrated Impact
- Environment
- Remediation Advice
Reports without reproduction steps, demonstrated impact, and remediation advice will be deprioritized. Given the volume of AI-generated scanner findings, we must ensure we're receiving vetted reports from researchers who understand the issues.
This policy applies to the CrabTrap project and its official releases. It covers vulnerabilities in:
- The proxy gateway
- The admin API and web UI
- Certificate generation and TLS handling
- Audit logging
- Authentication and authorization
Brex is open-sourcing CrabTrap with the community to share our learnings and help others. At this moment, there is no bug bounty program. Please still disclose responsibly (our official policy is here) so we can fix issues quickly.
As with all open source, the best way to help the project right now is by sending PRs.
We will credit reporters in the release notes unless anonymity is requested.