| Version | Supported |
|---|---|
| 5.x.x | Yes |
| 4.x.x | Yes |
| < 4.0 | No |
If you discover a security vulnerability in Counterscarp Engine, please report it responsibly.
Do NOT open a public GitHub issue for security vulnerabilities.
Instead, please email us at: contact@counterscarp.io
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if any)
- Acknowledgment: Within 48 hours
- Initial Assessment: Within 5 business days
- Fix Timeline: Depends on severity
- Critical: 24-72 hours
- High: 1-2 weeks
- Medium/Low: Next release cycle
The following are in scope:
- Counterscarp Engine core analyzers and scanning logic
- License validation and key management
- Web application (app.counterscarp.io)
- CLI tools and report generation
The following are out of scope:
- Third-party dependencies (report to the respective maintainer)
- Social engineering attacks
- Denial of service attacks
The following security controls are enforced by the Counterscarp Engine web API:
| Endpoint | Limit | Response when exceeded |
|---|---|---|
License validation (POST /api/license/validate) |
10 req/min | HTTP 429 |
License deactivation (POST /api/license/deactivate) |
5 req/min | HTTP 429 |
Stripe webhooks (POST /webhook/stripe) |
30 req/min | HTTP 429 |
Clients must wait for the rate-limit window to reset before retrying.
All API request fields are validated via Pydantic constraints:
- License key: regex-constrained format
- Machine ID: maximum 255 characters
- Version: semver pattern (
X.Y.Z) - Timestamp: ISO 8601 format
Malformed payloads are rejected with HTTP 422.
GET /api/license/info requires both an active session and the session email must match the configured ADMIN_EMAIL environment variable. Unauthenticated or unauthorised requests receive {"detail": "Authentication required"} (HTTP 403).
All inbound Stripe webhook events must carry a valid Stripe-Signature header. Unsigned or tampered payloads are rejected with HTTP 500. Set STRIPE_WEBHOOK_SECRET in the environment to enable verification.
Cross-Origin requests are restricted to the following origins:
https://app.counterscarp.iohttps://counterscarp.iohttp://localhost(any port — development only)
All other origins are blocked.
The web app uses a signed session cookie. If the SESSION_SECRET environment variable is not set, the application falls back to an insecure default and emits a loud warning at startup. Production deployments must set SESSION_SECRET.
# Generate a secure secret
python -c "import secrets; print(secrets.token_urlsafe(32))"
export SESSION_SECRET="<generated-value>"- Audit IDs are validated as UUIDs before use in file paths.
- Report download paths are resolved and checked to ensure they remain within the reports directory.
Uploaded contract files are validated for:
- UTF-8 encoding (binary blobs rejected)
- Sanitised filenames (path components stripped)
All authentication and validation events are written to the dedicated counterscarp.security Python logger (separate from the main application log). This includes login attempts, admin access, rate-limit hits, and webhook verification failures.
We appreciate responsible disclosure and will credit reporters in our release notes (unless they prefer to remain anonymous).