| Version | Supported |
|---|---|
| latest | ✅ |
We take security vulnerabilities seriously. If you discover a security issue in Trajan, please report it responsibly.
Please DO NOT open a public GitHub issue for security vulnerabilities.
Instead, report vulnerabilities via one of these methods:
- Email: Send details to security@praetorian.com
- Private Disclosure: Use GitHub's private vulnerability reporting
When reporting a vulnerability, please include:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Any suggested fixes (optional)
- Initial Response: Within 48 hours
- Status Update: Within 7 days
- Resolution Target: Based on severity (Critical: 7 days, High: 30 days, Medium: 90 days)
This security policy applies to:
- The Trajan CLI tool
- Detection plugins
- Attack simulation modules
- Documentation and examples
We appreciate responsible disclosure and will acknowledge security researchers who help improve Trajan's security (with your permission) in our release notes.
When using Trajan:
- Token Security: Use fine-grained GitHub tokens with minimal required permissions
- CI/CD Integration: Run Trajan in isolated environments
- Attack Mode: Only use
--attackflag against repositories you own or have explicit authorization to test - Output Handling: Treat scan results as sensitive (may contain workflow paths and configurations)