Skip to content

Security: styxabhor/Project-Lethe

Security

SECURITY.md

Security Policy

Project Lethe is intended for authorized security testing and defensive WAF resilience validation.

Responsible Usage

Only use this tool on systems you own, administer, or have explicit written permission to test. Lethe's generation commands do not send network traffic and do not include payload packs, but generated variants may still be sensitive in the wrong context.

Profile mode can send bearer tokens, cookies, and custom headers to a URL you provide. Prefer environment-variable based options, avoid committing real tokens to config files, and only profile authenticated routes where testing is explicitly authorized.

AI planning can call Gemini, OpenAI, Claude, local providers such as Ollama, LM Studio, LocalAI, or another OpenAI-compatible endpoint when you configure a provider. Store only the provider, model, base URL, and API-key environment variable name in .lethe.toml. Keep actual cloud API keys in your shell environment. The direct --ai-api-key flag exists for quick local tests, but it can land in shell history. Local providers do not require real API keys, but you should still treat prompts and site profiles as sensitive testing context.

lethe auth save stores auth material temporarily in a local cache outside the repository, usually ~/.cache/project-lethe/auth.json. It is plaintext local storage with a TTL, so treat it like a sensitive file, keep TTLs short, and run lethe auth purge when finished. Lethe writes the cache with 0600 permissions when the filesystem supports POSIX permissions.

HTTP discrepancy and stress-template features generate request templates only; Lethe does not send them. Keep stress settings bounded, prefer local labs for regex and inspection-window checks, and do not use generated templates to crash, exhaust, or degrade services.

Advanced novelty mode, stacked mutations, and polymorphic padding are bounded local generation features. They are intended for authorized normalization and parser-resilience testing, not for claiming real zero-day exploit generation or evading controls on third-party systems without permission.

Reporting Security Issues

If you find a vulnerability in Project Lethe itself, please open a private security advisory or contact the maintainer privately before publishing details.

Out Of Scope

Requests to add target scanning, automated exploitation, credential attacks, or WAF-specific bypass packs are out of scope for this project.

There aren't any published security advisories