| Version | Supported |
|---|---|
| 0.5.x | Yes |
| 0.4.x | Yes |
| 0.3.x | No |
| < 0.3 | No |
Am I Hacked? is a local, read-only security assessment tool. It does not expose network services, store data remotely, or run as a persistent agent. Vulnerabilities in scope include:
- False negatives that would cause a genuinely compromised system to report as clean (detection logic bugs)
- Code execution bugs — scenarios where running the tool on a compromised system could allow the attacker to escalate or persist via the tool itself
- Insecure handling of API keys or user-supplied config that leaks credentials
- Report injection — malicious finding data that executes code when the HTML report is opened
Out of scope:
- False positives (legitimate software flagged as suspicious) — open a Detection Request instead
- Issues requiring physical access to the machine being scanned
- Findings about the user's own environment surfaced by the tool (that's the point)
Please do not open a public GitHub issue for security vulnerabilities.
Use GitHub's private vulnerability reporting to submit a report confidentially. Include:
- A description of the vulnerability and its impact
- Steps to reproduce or a proof-of-concept
- The version of the tool affected
- Any suggested fix if you have one
| Milestone | Target |
|---|---|
| Acknowledgement | Within 48 hours |
| Initial assessment | Within 5 business days |
| Fix or mitigation | Depends on severity — critical issues prioritized |
| Public disclosure | Coordinated with reporter after fix is released |
We follow responsible disclosure and will credit reporters in the release notes unless anonymity is requested.