DO NOT use GitHub issues. Email: putu@windantara.dev

Response: 48h acknowledgment, 14-day fix for critical.

• Input validation: get_target() auto-fills from workspace, rejects digits and non-domain input. validate_input() for other input. Subdomain Takeover validates domain format
• Subprocess: run_command() with list args, timeouts. Async scanner uses stdin=DEVNULL to prevent stdin corruption, stty sane terminal reset
• Config: JSON only — no eval/exec. Workspace-aware output routing via properties
• Database: SQLite with parameterized queries (data/pentest.db)
• Evidence: Files in data/evidence/ with JSON index
• Plugins: importlib from plugins/ — review source before use
• Scope: Auto-blocks out-of-scope targets, override requires typing 'OVERRIDE'
• Workspace: Consolidated output. Edit (target/name/tester/scope), deactivate (data stays), delete (requires typing project name). Switch without closing
• Cleanup: Separates workspace and non-workspace data. Reset requires typing 'RESET', shows file count preview
• Security Audit: Deep SSL/TLS (protocol/cipher enum, chain validation) + Config (CSP unsafe-inline/eval, CORS+credentials, cookie flags, HTTP→HTTPS, Cache-Control, Server-Timing, CSRF detection)
• API Discovery: Probes subdomains and paths. ccTLD-aware domain extraction. 404 shown as potential, not discarded
• Recommendations: Context from actual files (os.walk recursive), not manual records. Finding-driven rules only suggest new actions, never repeat known findings
• CVSS: Implements v3.1 base score formula
• Data: All local, no telemetry, no cloud

Users: Enable Scope Validator, use Workspace, review plugins before loading, don't commit telegram.json, workspace.json, or data/ to git.

Developers: subprocess with list args + stdin=DEVNULL for async, validate all input, no eval/exec, parameterize SQL, use _default_results_dir for cleanup operations, handle ccTLDs in domain parsing.

putu@windantara.dev | 24-48h response

Last Updated: March 2026