Only the latest release of Slipstream is supported with security updates.
| Version | Supported |
|---|---|
| latest | ✅ |
| < latest | ❌ |
Do NOT open public issues for security vulnerabilities.
If you discover a security vulnerability in Slipstream, please report it responsibly:
- Preferred: Use GitHub Security Advisories to create a private report.
- Alternative: Email the maintainers directly with details of the vulnerability.
- Description of the vulnerability
- Steps to reproduce
- Affected versions
- Potential impact
- Suggested fix (if any)
- Acknowledgment: Within 48 hours of receipt
- Assessment: Within 7 days
- Fix & Disclosure: Within 90 days (coordinated responsible disclosure)
We follow a 90-day responsible disclosure timeline. If a fix is not released within 90 days, the reporter may disclose the vulnerability publicly.
Slipstream is a penetration testing tool designed for authorized security assessments. The following behaviors are features, not bugs:
- SSH session interception and command routing
- Tunnel management via SSH control sockets
- File transfer via SFTP/SCP/cat/base64 fallback chain
- Passive filesystem mapping from command output
- Per-command session logging and capture
- Target identification by SSH host key fingerprint
- Automatic OS detection from SSH output
- Credential and loot file collection via
!loot
These capabilities exist by design for legitimate security testing. Reports that simply describe Slipstream working as intended will be closed.
Slipstream is intended for authorized penetration testing, security research, and educational purposes only. Users are responsible for ensuring they have proper authorization before using this tool against any systems.