Project: CVE Security Intelligence Monitor
Maintainer: SudoCode by SudoChef — @sudochef | commit-issues

Always use the official repository:
https://github.com/commit-issues/cve-security-monitor

If you are running a version from a fork or a third party, we cannot guarantee its security or integrity. Verify you are on the official source before reporting.

Please do not report security vulnerabilities through public GitHub issues.

Public issue reports expose the vulnerability to everyone — including people who might exploit it before a fix is available. We follow responsible disclosure.

Use GitHub's built-in private vulnerability reporting:

1. Go to the Security tab of this repository
2. Click "Report a vulnerability"
3. Fill out the form with as much detail as possible

This sends your report directly and privately to the maintainer.

The more detail you provide, the faster we can investigate and fix it:

- Description of the vulnerability
- Steps to reproduce it
- What version / commit you were using
- What the potential impact is (data exposure, crash, etc.)
- Any suggested fixes if you have them

We will keep you updated throughout the process. We will not leave you in the dark.

We are interested in vulnerabilities that affect users of this tool, including:

✅ Credential or API key exposure
✅ SQL injection or database manipulation
✅ Malicious data injection through external feeds (XXE, oversized responses, domain spoofing)
✅ Authentication bypass (when auth features are added)
✅ Dependency vulnerabilities with direct exploitability
✅ Path traversal or file system issues
✅ Any issue that could compromise a user's machine or data

❌ Vulnerabilities in third-party services (NVD, BleepingComputer, etc.)
❌ Issues in unsupported forks or modified versions
❌ Social engineering attacks against the maintainer
❌ Denial of service on local installations
❌ Theoretical vulnerabilities with no practical exploit path

This tool does not use a shared or cloud-hosted database. Every user runs their own local encrypted database created during setup.

What this means:

• Your CVE data lives only on your machine
• Your encryption key never leaves your machine
• There is no central server that can be breached
• No user data is collected, stored, or transmitted by this project

CI/CD database: The GitHub Actions test suite creates a temporary throwaway database using a separate CI-only encryption key. This database is destroyed after every test run. It contains no real CVE data and is completely independent of any user's local database.

Each user's setup: When you run python3 init_db.py for the first time, you generate your own local encrypted database with your own encryption key stored in your own .env file. This key never touches GitHub.

This project is open source under the MIT License. If you find a vulnerability in a fork of this project, please report it to the fork's maintainer, not here.

If a fork has introduced malicious code, modified security features, or is being distributed in a way that harms users, please report it to:

• GitHub's Trust & Safety team: https://github.com/contact/report-abuse
• The original maintainer via private vulnerability report (above)

We take security seriously. This is a cybersecurity tool — it would be especially embarrassing (and harmful) for it to be a security liability itself.

We commit to:

• Responding to reports promptly and professionally
• Never dismissing a report without investigation
• Crediting researchers who help improve this project
• Being transparent about vulnerabilities after patches are released

Thank you for helping keep this project and its users safe.

SudoCode by SudoChef— Making cybersecurity accessible, one CVE at a time.
@sudochef | github.com/commit-issues