The CIS Controls Audit Tool team takes security seriously. We appreciate your efforts to responsibly disclose your findings and will make every effort to acknowledge your contributions.

Please DO NOT report security vulnerabilities through public GitHub issues.

If you discover a security vulnerability within this project, please send an email to:

📧 Security Contact: site@hotmail.com

To help us better understand and address the issue, please include the following information:

• Type of vulnerability (e.g., XSS, CSRF, data exposure, etc.)
• Full paths of source file(s) related to the vulnerability
• Location of the affected source code (tag/branch/commit or direct URL)
• Step-by-step instructions to reproduce the issue
• Proof-of-concept or exploit code (if possible)
• Impact of the issue, including how an attacker might exploit it
• Any potential fixes you've identified

1. Acknowledgment: You will receive an acknowledgment within 48 hours
2. Assessment: We will assess the vulnerability and determine severity
3. Updates: We will keep you informed about our progress
4. Resolution: We will work to fix the vulnerability as quickly as possible
5. Credit: We will credit you in the security advisory (unless you prefer to remain anonymous)

The following are considered in scope for security reports:

• Cross-Site Scripting (XSS) vulnerabilities
• Cross-Site Request Forgery (CSRF) issues
• Authentication and authorization flaws
• Data exposure through localStorage or browser storage
• Injection vulnerabilities in user inputs
• Client-side security issues that could lead to data compromise
• Privacy violations or sensitive data leakage
• Clickjacking vulnerabilities
• Open redirects that could be exploited

The following are generally considered out of scope:

• Reports from automated tools or scanners without validation
• Social engineering attacks
• Physical attacks
• Denial of Service (DoS) attacks
• Issues in third-party services or dependencies (report to respective maintainers)
• Issues that require physical access to a user's device
• Theoretical vulnerabilities without proof of exploitability
• Best practice violations without security impact

1. Keep Your Browser Updated

   • Use the latest version of modern browsers (Chrome, Firefox, Edge, Safari)
   • Enable automatic updates for security patches

2. Clear Browser Data Periodically

   • Audit data is stored in browser localStorage
   • Clear data when using shared computers
   • Export sensitive audit data regularly

3. Use HTTPS

   • Always access the tool via HTTPS (GitHub Pages uses HTTPS by default)
   • Verify the URL matches the official repository

4. Be Cautious with Exports

   • Exported audit reports may contain sensitive information
   • Store exports securely
   • Use encryption for sensitive audit data
   • Don't share exports via unsecured channels

5. Verify Integrity

   • Clone from official repository: https://github.com/SiteQ8/CIS-Audit-Tool
   • Verify GitHub Pages deployment matches official source
   • Review code changes before updating

1. Self-Hosting Security

   • Use HTTPS for all deployments
   • Implement Content Security Policy (CSP) headers
   • Set proper CORS policies
   • Enable HSTS (HTTP Strict Transport Security)

2. Access Control

   • Implement authentication if hosting internally
   • Use role-based access control (RBAC) for multi-user deployments
   • Regularly review access logs
   • Implement IP whitelisting if needed

3. Data Protection

   • Consider server-side storage with encryption at rest
   • Implement backup and recovery procedures
   • Use secure transmission protocols
   • Comply with data protection regulations (GDPR, CCPA, etc.)

4. Monitoring and Logging

   • Monitor for suspicious activity
   • Log access and changes
   • Set up alerts for anomalies
   • Regular security audits

5. Dependency Management

   • Review third-party dependencies (if any)
   • Keep dependencies updated
   • Use tools like npm audit or Snyk
   • Monitor security advisories

The CIS Controls Audit Tool implements the following security features:

1. Client-Side Only

   • No server-side processing or data transmission
   • All data stored locally in browser
   • No external API calls for core functionality

2. Input Validation

   • Sanitization of user inputs
   • Prevention of XSS through proper encoding
   • Validation of data before storage

3. Content Security

   • No inline scripts or styles (CSP-friendly)
   • No eval() or similar dangerous functions
   • Proper HTML escaping for user content

4. Data Isolation

   • localStorage scoped to origin
   • No cookies used
   • No session tracking
   • No analytics or tracking scripts

5. Export Safety

   • Safe JSON serialization
   • CSV generation without formula injection
   • HTML export with proper sanitization

If self-hosting, implement these security headers:

Content-Security-Policy: default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self'; connect-src 'self'; frame-ancestors 'none';
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Referrer-Policy: strict-origin-when-cross-origin
Permissions-Policy: geolocation=(), microphone=(), camera=()
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload

This tool does not collect or transmit any user data:

• ✅ No analytics or tracking
• ✅ No telemetry
• ✅ No external API calls
• ✅ No cookies
• ✅ No server-side storage
• ✅ All data remains in your browser

• Audit data is stored in browser localStorage only
• Data never leaves your device
• You control all data through export/import
• Clear browser data to remove all stored information

• No data is shared with third parties
• No data is transmitted to external servers
• Export files are generated client-side only
• You control all data sharing through manual export

When deploying this tool in regulated environments, consider:

1. GDPR Compliance (EU)

   • Implement data protection measures
   • Provide data export/deletion capabilities
   • Document data processing activities
   • Implement appropriate security measures

2. CCPA Compliance (California)

   • Provide transparency about data usage
   • Enable data deletion
   • Respect user privacy rights

3. HIPAA Compliance (Healthcare)

   • Don't store PHI in audit notes
   • Implement access controls
   • Use encrypted storage if handling sensitive data
   • Maintain audit logs

4. PCI DSS Compliance (Payment Card)

   • Don't store cardholder data in audit tool
   • Implement proper access controls
   • Regular security assessments
   • Network security measures

5. Industry-Specific Regulations

   • Review applicable regulations
   • Implement required controls
   • Document compliance measures
   • Regular compliance audits

1. Assessment: Evaluate severity and impact
2. Fix Development: Create and test security patches
3. Disclosure: Coordinate responsible disclosure
4. Release: Deploy fixes as quickly as possible
5. Notification: Announce via GitHub Security Advisories

We use the following severity classifications:

• Critical: Immediate exploitation possible, high impact
• High: Exploitation likely, significant impact
• Medium: Exploitation possible with conditions, moderate impact
• Low: Limited exploitation, minimal impact

• Critical: Fix within 24-48 hours
• High: Fix within 7 days
• Medium: Fix within 30 days
• Low: Fix in next regular release

Security advisories will be published:

1. GitHub Security Advisories - Primary channel
2. Repository README - Link to advisories
3. Release Notes - Security fix details
4. Email - Direct notification to reporters

Currently, this is an open-source project without a formal bug bounty program. However:

• We deeply appreciate security researchers' efforts
• We will credit researchers in security advisories
• We welcome responsible disclosure
• Consider contributing fixes via pull requests

We would like to thank the following individuals/organizations for responsibly disclosing security issues:

(This section will be updated as security issues are reported and resolved)

Security Contact: site@hotmail.com

For general questions and non-security issues:

• GitHub Issues: https://github.com/SiteQ8/CIS-Audit-Tool/issues
• GitHub Discussions: https://github.com/SiteQ8/CIS-Audit-Tool/discussions

We believe in responsible disclosure and ask that you:

1. Don't exploit the vulnerability beyond what's necessary for demonstration
2. Don't access or modify other users' data
3. Give us time to address the issue before public disclosure
4. Act in good faith and avoid violating privacy or causing damage

We commit to:

1. Acknowledge your report promptly
2. Keep you informed about our progress
3. Credit you appropriately (if desired)
4. Work with you to understand and resolve the issue
5. Not pursue legal action against good-faith security researchers

• OWASP Top 10 - Web application security risks
• CWE Top 25 - Most dangerous software weaknesses
• Web Security Guidelines - Mozilla's security guidelines
• GitHub Security Best Practices

• v1.0 (November 2024) - Initial security policy

Last Updated: November 10, 2025

Policy Version: 1.0

Thank you for helping keep the CIS Controls Audit Tool and its users safe! 🔒