LOLAPI

Security Policy

Responsible disclosure and security guidelines for LOLAPI

Reporting Security Issues

Do Not Open Public Issues

If you discover a security vulnerability, do not open a public GitHub issue. Follow responsible disclosure guidelines instead.

How to Report

Please report security vulnerabilities to the LOLAPI security team:

security@themagicclaw.com

Include detailed information about the vulnerability and any proof-of-concept code.

Response Timeline

📅

Initial Response

Within 48 hours of report submission

🔍

Investigation

We will investigate and verify the vulnerability

🔧

Fix & Release

We aim to fix critical issues within 7 days

📢

Disclosure

Public disclosure after fix is released

Security Considerations

Data Integrity

LOLAPI entries are versioned and tracked in Git. All changes are auditable and reversible.

Code Examples

Abuse scenarios contain real code examples for educational and research purposes. These are not exploits, but demonstrations of attack techniques.

Responsible Use

LOLAPI is intended for defenders, researchers, and authorized red teamers. Unauthorized access or use of systems is illegal.

Detection Purpose

Detection strategies in LOLAPI are designed to help organizations defend against abuse of legitimate APIs.

Scope of Responsible Disclosure

In Scope

  • • YAML schema or validation issues
  • • Website/documentation vulnerabilities
  • • Authentication/access control issues
  • • Information disclosure
  • • Data integrity issues

Out of Scope

  • • Issues in third-party dependencies
  • • Reports without evidence
  • • Social engineering
  • • Spam or low-quality reports
  • • Issues already known/public

Legal Safe Harbor

We will not pursue legal action against researchers who:

  • • Report vulnerabilities in good faith
  • • Avoid violating any laws
  • • Do not access unauthorized data
  • • Do not disrupt services
  • • Follow responsible disclosure practices

Acknowledgment

Researchers who responsibly disclose vulnerabilities may be acknowledged in the SECURITY_ADVISORIES file and on the website if desired.

PGP Key

For sensitive communications, you can encrypt your message with our PGP key:

-----BEGIN PGP PUBLIC KEY BLOCK----- [PGP Key Here] -----END PGP PUBLIC KEY BLOCK-----

Questions?

If you have questions about this security policy, please contact:

security@themagicclaw.com