Ultimate OSINT Toolkit is developed by Putu Wind Antara, a Certified Ethical Hacker (CEH) from Bali, Indonesia. Security and responsible use are our top priorities.
- Supported Versions
- Reporting a Vulnerability
- Security Best Practices
- Legal & Ethical Use
- Data Privacy
- Tool Security
- Response Timeline
- Acknowledgments
We actively maintain and provide security updates for the following versions:
| Version | Supported | Status |
|---|---|---|
| 1.0.x | ✅ Yes | Active |
| < 1.0 | ❌ No | Deprecated |
Recommendation: Always use the latest version from the main branch for the most up-to-date security features and patches.
We take security vulnerabilities seriously. If you discover a security issue, please follow our responsible disclosure process:
-
Email (Preferred): putu@windantara.dev
- Subject:
[SECURITY] Ultimate OSINT Toolkit - Brief Description - Use PGP encryption if possible (key available on request)
- Subject:
-
GitHub Security Advisory:
- Use GitHub's private vulnerability reporting feature
- Navigate to: Security → Report a vulnerability
-
LinkedIn Direct Message: Putu Wind Antara
- For urgent critical vulnerabilities only
Please provide the following information:
## Vulnerability Report Template
**Title**: Brief description of the vulnerability
**Severity**: [Critical / High / Medium / Low]
**Affected Component**:
- Tool name (e.g., theHarvester module)
- Version: 1.0.0
- Operating System: Ubuntu 24.04 LTS
**Description**:
Detailed description of the vulnerability and its potential impact.
**Steps to Reproduce**:
1. Step one
2. Step two
3. Step three
**Expected Behavior**:
What should happen normally.
**Actual Behavior**:
What actually happens (the vulnerability).
**Impact Assessment**:
- Who is affected?
- What data is at risk?
- What systems are vulnerable?
**Proof of Concept**:
(If applicable, provide code/screenshots - DO NOT include actual exploits)
**Suggested Fix**:
(Optional) Your recommendations for fixing the issue.
**Researcher Information**:
- Name: (optional)
- Organization: (optional)
- Contact: (email or GitHub username)- ❌ DO NOT publicly disclose the vulnerability before we've had a chance to address it
- ❌ DO NOT exploit the vulnerability beyond what's necessary to demonstrate it
- ❌ DO NOT access, modify, or delete data that doesn't belong to you
- ❌ DO NOT perform DoS attacks or disrupt services
- ❌ DO NOT share vulnerability details with third parties before disclosure
# ✅ GOOD: Clone from official repository only
git clone https://github.com/windantara/ultimate-osint-toolkit.git
# ❌ BAD: Don't download from untrusted sources
# Never run random scripts from unknown websites# Run in isolated environment
# Use dedicated VM or Docker container for OSINT operations
# ✅ Keep your system updated
sudo apt update && sudo apt upgrade -y
# ✅ Use non-root user when possible
# Avoid running as root unless absolutely necessary- Never store sensitive data in plain text
- Encrypt results containing personal information
- Use secure file permissions:
chmod 600 sensitive_results.txt # Owner read/write only chmod 700 ~/osint_results/ # Owner full access only
# ❌ NEVER commit API keys to GitHub
# ❌ NEVER hardcode credentials in scripts
# ✅ Use environment variables
export SHODAN_API_KEY="your-key-here"
# ✅ Use config files with proper permissions
chmod 600 config.conf
# ✅ Add sensitive files to .gitignore
echo "config.conf" >> .gitignore
echo "api_keys.txt" >> .gitignore- Use VPN when conducting OSINT operations
- Rotate IP addresses for extensive reconnaissance
- Respect rate limits to avoid detection/blocking
- Monitor your footprint - minimize traces
# ✅ Verify proxy providers are legitimate
# ✅ Use HTTPS proxies when possible
# ✅ Test proxies before large operations
# ❌ Don't use free public proxies for sensitive work# Validate all user inputs
if [[ ! "$domain" =~ ^[a-zA-Z0-9.-]+$ ]]; then
echo "Invalid domain format"
exit 1
fi
# Sanitize file paths
target=$(basename "$target")
# Use shellcheck for static analysis
shellcheck ultimate_osint_toolkit.sh# Pin tool versions for reproducibility
git clone --depth 1 --branch v4.5.1 https://github.com/theHarvester
# Verify checksums
echo "expected-hash filename" | sha256sum -c
# Use requirements.txt for Python dependencies
pip install -r requirements.txt --require-hashes# ❌ Don't log sensitive information
# ❌ Don't log API keys, passwords, or personal data
# ✅ Sanitize logs
log_safe() {
echo "$1" | sed 's/[0-9]\{3\}-[0-9]\{2\}-[0-9]\{4\}/XXX-XX-XXXX/g'
}
# ✅ Secure log file permissions
chmod 600 logs/osint_scan.log╔═══════════════════════════════════════════════════════════════╗
║ ⚠️ LEGAL WARNING ⚠️ ║
╠═══════════════════════════════════════════════════════════════╣
║ ║
║ This toolkit is for AUTHORIZED SECURITY RESEARCH ONLY ║
║ ║
║ ✅ LEGAL USES: ║
║ • Penetration testing with written authorization ║
║ • Bug bounty programs within scope ║
║ • Research on systems you own ║
║ • Educational purposes in controlled environments ║
║ ║
║ ❌ ILLEGAL USES: ║
║ • Unauthorized access to systems ║
║ • Data theft or privacy violations ║
║ • Corporate espionage ║
║ • Stalking or harassment ║
║ • Any malicious intent ║
║ ║
║ 🇮🇩 Indonesian Law (UU ITE): ║
║ • Violation can result in imprisonment up to 10 years ║
║ • Fines up to IDR 10 billion ║
║ ║
║ 🌍 International Laws: ║
║ • Computer Fraud and Abuse Act (USA) ║
║ • Computer Misuse Act (UK) ║
║ • GDPR (EU) for data privacy ║
║ ║
╚═══════════════════════════════════════════════════════════════╝
Before using this toolkit, ensure you have:
-
Written Authorization
- Signed permission from system/network owner
- Clear scope of work defined
- Legal counsel review (for commercial use)
-
Compliance Documentation
- Statement of Work (SOW)
- Rules of Engagement (RoE)
- Non-Disclosure Agreement (NDA)
-
Professional Standards
- Follow CEH Code of Ethics
- Adhere to OWASP guidelines
- Respect privacy laws (GDPR, CCPA, etc.)
## Acceptable for Learning:
✅ Personal homelab environments
✅ Virtual machines you own
✅ Authorized CTF competitions
✅ Bug bounty programs (within scope)
✅ Academic research (with approval)
✅ Security training courses
## NOT Acceptable:
❌ Scanning public websites without permission
❌ Testing production systems at your workplace
❌ Reconnaissance on competitors
❌ Any "unauthorized" accessTHE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND.
THE AUTHOR ASSUMES NO LIABILITY FOR MISUSE OR ILLEGAL USE.
USERS ARE SOLELY RESPONSIBLE FOR THEIR ACTIONS.
This toolkit may collect publicly available information during OSINT operations. To protect privacy:
# Only collect what's necessary for your authorized scope
# Don't store more data than needed# Encrypt sensitive results
gpg -c osint_results/sensitive_data.txt
# Use secure directories
mkdir -p ~/secure_osint
chmod 700 ~/secure_osint# Delete data after project completion
shred -vfz -n 10 sensitive_file.txt
# Secure wipe of directories
srm -r old_osint_results/# Redact personal information before sharing
def anonymize_email(email):
user, domain = email.split('@')
return f"{user[0]}***@{domain}"
# john.doe@example.com → j***@example.com- GDPR (EU): Right to be forgotten, data minimization
- CCPA (California): Consumer privacy rights
- UU ITE (Indonesia): Electronic Information and Transactions Law
- Personal Data Protection Act (various countries)
As a security researcher, you must:
- Obtain consent when required
- Process data lawfully and transparently
- Implement appropriate security measures
- Delete data when no longer needed
This toolkit integrates multiple OSINT tools. Security considerations:
# Verify official repository
git remote -v
# origin https://github.com/laramies/theHarvester.git
# Check commit signatures (if available)
git log --show-signature
# Compare checksums
sha256sum theHarvester/theHarvester.py# Audit Python packages
pip-audit
# Check for known vulnerabilities
safety check -r requirements.txt
# Update dependencies regularly
pip list --outdated# Use virtual environments
python3 -m venv osint_env
source osint_env/bin/activate
# Or use Docker for complete isolation
docker build -t osint-toolkit .
docker run --rm -it osint-toolkit| Tool | Potential Risk | Mitigation |
|---|---|---|
| theHarvester | Email scraping detection | Use delays, rotate IPs |
| Sherlock | Account enumeration tracking | Use proxies, VPN |
| Sublist3r | Passive DNS queries logged | Distribute across time |
| Photon | Web crawling detection | Respect robots.txt |
We are committed to addressing security issues promptly:
| Severity | Initial Response | Fix Target | Public Disclosure |
|---|---|---|---|
| 🔴 Critical | 24 hours | 7 days | After fix + 7 days |
| 🟠 High | 48 hours | 14 days | After fix + 14 days |
| 🟡 Medium | 5 days | 30 days | After fix + 30 days |
| 🟢 Low | 7 days | 60 days | After fix + 60 days |
- Critical: Remote code execution, data breach, authentication bypass
- High: Privilege escalation, sensitive data exposure
- Medium: Denial of service, information disclosure
- Low: Minor bugs, cosmetic issues
- Report received → Acknowledgment sent within timeline
- Validation → We verify and assess the vulnerability
- Fix development → Patch created and tested
- Release → Security update published
- Public disclosure → CVE issued if applicable
- Credit → Researcher acknowledged (if desired)
We gratefully acknowledge security researchers who help improve this toolkit:
- Your name could be here! Report responsibly.
Eligible reporters may receive:
- ⭐ Public acknowledgment (optional)
- 📜 Appreciation certificate
- 🔗 Link to your profile/website
- 💼 Reference for professional portfolio
- Lead Developer: Putu Wind Antara
- Certification: Certified Ethical Hacker (CEH)
- Location: Bali, Indonesia 🇮🇩
| Channel | Purpose | Response Time |
|---|---|---|
| Security reports | 24-48 hours | |
| 🔒 GitHub Security Advisory | Vulnerability disclosure | 24-48 hours |
| 💬 GitHub Issues | General bugs | 3-7 days |
| 🐦 Social | Non-urgent | Best effort |
For critical vulnerabilities that pose immediate risk:
- Email: putu@windantara.dev (mark as URGENT)
- Subject:
[CRITICAL SECURITY] Brief description
- CEH Code of Ethics: EC-Council Ethics
- OWASP: OWASP.org
- NIST Cybersecurity Framework: NIST.gov
- UU ITE: UU No. 19 Tahun 2016
- Peraturan Privasi Data: Kementerian Komunikasi
- OWASP Indonesia Chapter
- ID-SIRTII: Indonesia Security Incident Response Team
- Indonesian Cyber Security Forum
This security policy is reviewed and updated regularly.
- Last Updated: November 2025
- Version: 1.0.0
- Next Review: February 2026
Questions about security? Don't hesitate to reach out.
Found a vulnerability? We appreciate responsible disclosure.
Want to contribute? Check our CONTRIBUTING.md
© 2025 Putu Wind Antara | Certified Ethical Hacker (CEH)
Made with ❤️ and 🔒 in Bali, Indonesia 🇮🇩
"Security is not a product, but a process." - Bruce Schneier