| Version | Supported |
|---|---|
| 1.0.x | ✅ Yes |
Only the latest release receives security fixes. We strongly recommend always running the latest version.
If you discover a security vulnerability in Merlin itself (e.g. code injection, unsafe subprocess usage, insecure config handling), please do not open a public GitHub issue.
Instead, report it responsibly:
- Email — Send details to the maintainer privately. You can find contact information on the author's GitHub profile: github.com/djunekz
- GitHub Security Advisories — Use the Security tab on this repository to submit a private advisory.
Please include:
- A clear description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if any)
We will respond within 72 hours and aim to release a patch within 7 days of confirmation.
We follow a coordinated disclosure model:
- You report the issue privately
- We investigate and develop a fix
- We release the fix and credit you (unless you prefer to remain anonymous)
- Details are disclosed publicly after the patch is available
Merlin is a security research tool. It must only be used on systems you own or have explicit written authorization to test.
Unauthorized scanning, testing, or exploitation of third-party systems is illegal and unethical, regardless of the tool used. The author accepts no responsibility for misuse.
If you are unsure whether your use case is permitted, consult a legal professional before proceeding.