Skip to content

Security: Inventrom/vuln-notes-training

SECURITY.md

Security Policy

⚠️ Bug reports are not accepted for this repository

This application is intentionally vulnerable. It exists to teach students how to find and fix security flaws using AI coding agents. Reporting a planted vulnerability as a bug is not useful — finding them is the assignment.

What's planted (high level)

This repo contains five deliberately-introduced security vulnerabilities, each mapped to a real-world category:

  1. Cross-Site Scripting (XSS) via unsafe DOM rendering
  2. Hardcoded credentials in client-side source
  3. Arbitrary code execution via eval() on user input
  4. Open redirect via unvalidated URL parameter
  5. Prototype pollution via unsafe object merge

Each vulnerability is marked in the source with a comment containing the phrase INTENTIONAL VULNERABILITY for training so it is unambiguous.

The full mapping of vulnerabilities to OWASP categories, the "before" and "after" code, and the audit report are reserved for instructor reference and are not published in this public repository.

What to do if you find a real bug

If you find a problem that is genuinely not a planted vulnerability — for example a broken link, a typo in the README, or a UI glitch — you can open an issue on the repository. Please do not report security findings; this app is meant to be insecure.

What this app cannot do

For the avoidance of doubt, the planted vulnerabilities are all client-side. They cannot:

  • Read files on the user's machine
  • Make network requests to any external server
  • Install software
  • Persist data outside localStorage for this origin
  • Affect any other browser tab

The app is safe to open and explore in any modern browser.

There aren't any published security advisories