This repository contains educational security research: reproductions of publicly disclosed vulnerabilities, proof-of-concept code, and detection content. It exists to help defenders understand, detect, and remediate real threats.
- Every technique here targets software you deploy yourself inside the provided isolated, disposable lab environments.
- Do not use any material here against systems you do not own or lack explicit written authorization to test. Doing so is illegal in most jurisdictions.
- No zero-days, no undisclosed vulnerabilities, and no live-target tooling are published here. Every CVE references its official NVD entry and vendor advisory.
- The author accepts no liability for misuse. Use is governed by the LICENSE.
By using this repository you agree to use it lawfully and ethically.
If you find a security issue in the lab tooling or automation itself (not in the target software, which is intentionally vulnerable), please report it privately:
- Open a GitHub Security Advisory (preferred), or
- Email the maintainer via the address on the GitHub profile.
Please include: affected file/component, reproduction steps, and impact.
| Response target | within 5 business days |
| Fix target | severity-dependent; tracked in CHANGELOG.md |
| Coordinated disclosure | supported and appreciated |
Please do not open public issues for security-tooling vulnerabilities until they have been addressed.
The latest tagged release (see Releases) receives fixes. Labs pin the specific vulnerable versions of target software by design and are not "upgraded" — that is the point of the reproduction.