WARNING: THIS SITE IS A MIRROR OF GITHUB.COM / IT CANNOT LOGIN OR REGISTER ACCOUNTS / THE CONTENTS ARE PROVIDED AS-IS / THIS SITE ASSUMES NO RESPONSIBILITY FOR ANY DISPLAYED CONTENT OR LINKS / IF YOU FOUND SOMETHING MAY NOT GOOD FOR EVERYONE, CONTACT ADMIN AT ilovescratch@foxmail.com
Skip to content

Security: rizinorg/cutter

Security

SECURITY.md

Security Policy

Supported Versions

Version Supported
latest-release
*

Reporting a Vulnerability

Security issues in the Cutter repository should be reported by email to [email protected]. Your email will be delivered to a small security team that will handle the report. Your email will be acknowledged within 48 hours, and you'll receive a more detailed response to your email within 72 hours indicating the next steps in handling your report.

For your convenience, we accept reports written in one of the languages listed on our security.txt page, but we prefer reports in English.

If you have not received a reply to your email within 48 hours, or have not heard from the security team for the past week, there are a few steps you can take (in order):

  • Directly contact Itay Cohen from the Security Team
  • Inform the team over the public chats that you sent a message regarding a security issue.

Important: Don't disclose any information regarding the issue itself in the public chats.

Please note that the Cutter Security team isn't handling security issues on the rizin repository.

AI generated vulnerability reports

Following the widespread availability of large language models and generative AI, we have seen a number of security reports generated partially or entirely using such tools. Many of these contain inaccurate, misleading, or fictitious content. While AI tools can help draft or analyze reports, they must not replace human understanding and review.

If you use AI tools to help prepare a report, you must:

  • Disclose which AI tools were used and specify what they were used for (analysis, writing the description, writing the exploit, etc).
  • Verify that the issue describes a real, reproducible vulnerability that otherwise meets these reporting guidelines.
  • Avoid fabricated code, placeholder text, or references to non-existent code.

Reports that appear to be unverified AI output will be closed without response. Repeated low-quality submissions may result in a ban.

For these reasons, we decided to align with similar policies adopted by other major open-source projects, which have described the flood of unverified AI-generated reports as disruptive, counterproductive, and a drain on limited security team resources.

There aren’t any published security advisories