MethodAtlas is a security-classification tool used in regulated environments. We treat every vulnerability report with the same urgency we ask of the teams that adopt this tool.
| Version stream | Supported |
|---|---|
Latest release tag (release@*) |
✅ Full support |
| Older releases | ❌ No backports — please upgrade |
Do not open a public GitHub issue for security vulnerabilities.
Report privately so that a fix can be prepared before the details become public:
- Use GitHub's private "Report a vulnerability" button on the Security tab of this repository.
- Alternatively, send an encrypted e-mail to
security@egothor.org. Our PGP key fingerprint is published on keys.openpgp.org.
Include as much detail as possible:
- Affected component and version
- Steps to reproduce or a minimal proof-of-concept
- Potential impact (confidentiality, integrity, availability, compliance)
- Whether you believe it is exploitable in a default configuration
| Milestone | Target |
|---|---|
| Acknowledgement | within 2 business days |
| Triage and severity assessment | within 5 business days |
| Fix or mitigation plan communicated to reporter | within 30 days for critical/high; 90 days for lower severity |
| Public advisory and release | coordinated with reporter |
We follow coordinated vulnerability disclosure. If you require a longer embargo for deployment, please say so in your report.
The following are in scope:
- All Java source code in this repository (core engine, discovery plugins, GUI)
- The TypeScript scanner bundle embedded in
methodatlas-discovery-typescript - The Python scanner script embedded in
methodatlas-discovery-python - Build-time and runtime dependencies that we can influence (upgrade or patch)
- The generated SARIF and YAML outputs (injection, information disclosure)
The following are out of scope:
- Third-party AI provider APIs or model behaviour
- Vulnerabilities in the user's own codebase that MethodAtlas analyses
- Issues that require physical access to the analyst's workstation
We will acknowledge researchers who report valid vulnerabilities in the release notes and security advisory, unless you request anonymity.
MethodAtlas embeds two helper scripts inside its JARs that are executed as external subprocesses during a scan:
| Script | JAR | Manifest attribute |
|---|---|---|
ts-scanner.bundle.js |
methodatlas-discovery-typescript |
TS-Scanner-Bundle-SHA256 |
py-scanner.py |
methodatlas-discovery-python |
Py-Scanner-SHA256 |
At startup each plugin reads the script from the JAR classpath, computes its
SHA-256, and compares it against the value recorded in MANIFEST.MF at build
time. A mismatch causes the plugin to abort before executing the script.
This check protects result authenticity: a tampered script could selectively suppress or fabricate discovered test methods, producing a falsified audit report. By refusing to run a script whose hash does not match the build-time value, MethodAtlas ensures that the discovery output reflects the unmodified, peer-reviewed scanner logic.
Security reports targeting this integrity chain — for example, a vulnerability that allows the manifest hash to be forged, or that allows the script bytes to be substituted without updating the manifest — are treated as critical regardless of CVSS score.
MethodAtlas is developed to support security assessments in environments subject to standards such as ISO 27001, SOC 2, and financial-sector regulations. Security reports affecting audit-trail integrity or override-file confidentiality are treated as critical regardless of CVSS score.