Security

Our commitment to security and responsible disclosure

Vulnerability Disclosure

We take security vulnerabilities seriously and appreciate responsible disclosure from the security community.

Report a Vulnerability

If you discover a security issue in Feroxbuster Pro or our infrastructure, report it to us privately so we can remediate it responsibly.

Scope

In-scope: Feroxbuster Pro binaries, controller and agent components, our activation and portal services, and official documentation.
Out-of-scope: customer systems, third-party services, or any environment we do not control.

Forbidden activity (100% out of scope)

Any testing that interacts with production databases or production data is strictly prohibited. The following actions are explicitly out of scope and will void safe-harbor:

  • Querying, copying, exporting, or otherwise accessing production database contents.
  • Creating, updating, deleting, or modifying production records or customer data.
  • Exfiltrating, storing, or sharing production data, including PII and credentials.
  • Running scripts or commands that alter production systems or introduce persistent changes.
  • Load, stress, or denial-of-service testing against production services.
  • Social engineering, phishing, or attempting to obtain credentials from employees or customers.

If you accidentally access production data

  1. Stop the activity immediately.
  2. Do not copy, download, share, or screenshot the data.
  3. Delete any local copies immediately and note what was captured.
  4. Notify us right away at security@feroxbuster.pro using our PGP key or secure upload instructions. Describe how the data was accessed and the steps to reproduce.
  5. Cooperate with our security team and follow any remediation instructions.

Safe-harbor and limits

We will not pursue legal action against individuals who act in good faith and follow this policy. Note: this is a policy statement, not a legal guarantee. The safe-harbor is void if a researcher:

  • Accesses, copies, modifies, or exfiltrates production data.
  • Performs destructive testing that impacts production systems or customer data.
  • Targets third-party systems, customer environments, or engages in social engineering.

Violations may be reported to law enforcement and could lead to civil or criminal liability.

How to report

Email security@feroxbuster.pro. If your report includes sensitive proofs of concept, production data, or credentials, request our public key or secure upload instructions before sending. Do not send unencrypted sensitive data or PII.

Response and disclosure

We aim to acknowledge reports within 48 hours and provide initial triage within 7 days. Our coordinated disclosure window is 90 days from acknowledgement, though timelines may vary by severity. We will keep you updated on remediation progress.

security@feroxbuster.pro

Product security

Feroxbuster Pro is designed to run in sensitive environments, including restricted and non-internet-connected networks.

Offline-First Operation
There are no required online check-ins, gates, or background telemetry. We intentionally avoid workflows that depend on continuous internet access so Feroxbuster Pro can be used in air-gapped and restricted environments.
User-Initiated Update Checks
Checking for new versions is always explicit and initiated by the user. When update metadata is fetched, it is vendor-signed and verified by the client before it is trusted or displayed.
Encrypted State Files
Scan state files are encrypted at rest by default. This helps protect saved scan artifacts (including discovered endpoints and response data) if the state file is copied or exposed unintentionally.
Cryptographically Verifiable Licensing
Licensing is based on vendor-signed artifacts that are verified locally. The application can validate licenses and activations without relying on ongoing online checks.
security@feroxbuster.pro