This document covers two different things:
- How to report a security vulnerability in the AURA tool itself (its code, dependencies, or supply chain).
- The responsible/authorized use policy for scanning targets with AURA.
| Version | Supported |
|---|---|
| Latest release | ✅ |
| Older releases | ❌ |
Only the latest tagged release receives security fixes. Please update before reporting an issue to confirm it's still present.
If you find a security issue in AURA itself (e.g. a flaw that lets a malicious target exploit the scanner, a dependency vulnerability, credential leakage, SSRF in endpoint discovery, etc.):
- Do not open a public GitHub issue.
- Preferably use GitHub's private vulnerability reporting for this repository.
- Or email security@yourdomain.com (replace with a real monitored address before publishing this file).
Please include:
- A description of the issue and its potential impact
- Steps to reproduce, or a minimal proof of concept
- The AURA version/commit affected (
aura --version)
We aim to acknowledge new reports within 5 business days and to provide a fix or mitigation timeline once the report is triaged. Please give us a reasonable window to patch before any public disclosure.
AURA actively probes endpoints with alternate object IDs and credentials. Used against systems you don't own or don't have explicit permission to test, this is unauthorized access and may be illegal in your jurisdiction (e.g. under the U.S. CFAA, UK Computer Misuse Act, or equivalent local law).
By using AURA you agree that you will:
- Only scan systems you own, or have explicit written authorization to test (e.g. a signed pentest agreement or a bug bounty program's published scope).
- Respect each target's bug bounty scope and rules of engagement, including rate limits.
- Not use AURA to access, exfiltrate, or retain data beyond what is required to demonstrate a finding.
- Disclose any vulnerabilities found through the target's official disclosure channel, not publicly, until they've had a chance to remediate.
The maintainers of AURA accept no liability for misuse of this tool. It is provided for legitimate security research, bug bounty hunting, and authorized penetration testing only.