Skip to content

Security: djunekz/merlin

Security

SECURITY.md

Security Policy

Supported Versions

Version Supported
1.0.x ✅ Yes

Only the latest release receives security fixes. We strongly recommend always running the latest version.


Reporting a Vulnerability

If you discover a security vulnerability in Merlin itself (e.g. code injection, unsafe subprocess usage, insecure config handling), please do not open a public GitHub issue.

Instead, report it responsibly:

  1. Email — Send details to the maintainer privately. You can find contact information on the author's GitHub profile: github.com/djunekz
  2. GitHub Security Advisories — Use the Security tab on this repository to submit a private advisory.

Please include:

  • A clear description of the vulnerability
  • Steps to reproduce
  • Potential impact
  • Suggested fix (if any)

We will respond within 72 hours and aim to release a patch within 7 days of confirmation.


Responsible Disclosure Policy

We follow a coordinated disclosure model:

  • You report the issue privately
  • We investigate and develop a fix
  • We release the fix and credit you (unless you prefer to remain anonymous)
  • Details are disclosed publicly after the patch is available

Ethical Use Reminder

Merlin is a security research tool. It must only be used on systems you own or have explicit written authorization to test.

Unauthorized scanning, testing, or exploitation of third-party systems is illegal and unethical, regardless of the tool used. The author accepts no responsibility for misuse.

If you are unsure whether your use case is permitted, consult a legal professional before proceeding.

There aren't any published security advisories