This project intentionally contains security vulnerabilities for educational use in a Capture The Flag (CTF) setting. These vulnerabilities are deliberate and designed to simulate realistic attack vectors, such as SQL injection.

However, if you discover unintended vulnerabilities (e.g., issues with cookie/session handling, exposure of developer secrets, or a flaw that breaks the app in a way not intended by the challenge), please report them privately and responsibly.

• Email: sunnypatel124555@gmail.com
• GitHub Issues: Create a new issue (mark clearly as [SECURITY] and set it to private if needed)

Please do not open public issues that detail active exploit paths outside of the intended CTF challenges.

• Provide a clear explanation of the issue and how to reproduce it
• Include proof-of-concept if applicable
• Do not use this project to attempt unauthorized real-world attacks
• Do not attempt to upload exploits, malware, or malicious payloads to the repository

This project contains intentionally unsafe code for educational exploitation. Vulnerabilities like the following are considered intentional and do not require disclosure:

• SQL Injection in search boxes (e.g., Transactions, Feedback)
• Feedback form tampering
• Bypassable login forms
• Unvalidated input on non-critical endpoints

SecureBank is a CTF teaching tool modeled after apps like OWASP Juice Shop. It is not meant for production use. Any vulnerabilities discovered should be considered in the context of intentional insecure design.

Thanks for helping make the educational side of web security better. All responsible disclosures will be acknowledged (privately or publicly, your choice).

• Acknowledge report: within 3 business days
• Initial assessment: within 7 business days
• Mitigation plan (if needed): within 14 business days

These timelines are targets for a community‑maintained project and may vary.

We consider research conducted in good faith and within the guidelines above to be authorized. We will not pursue legal action against individuals who:

• Report vulnerabilities privately and responsibly
• Do not compromise data beyond what is necessary to demonstrate a vulnerability
• Avoid privacy violations, data destruction, and service disruption

• Denial of service that materially impacts collaborators
• Automated vulnerability scanners without actionable details
• Findings limited to best‑practice recommendations with no concrete impact