All wordlists are generated by the WFH tool. Company names and CNPJs included in the Brazilian corpus are publicly available data obtained via OSINT (Receita Federal, public registries).

If you discover a security vulnerability in this project, please report it responsibly. Do not open a public GitHub issue.

1. Email: Send a detailed report to security@safelabs.com.br
2. GitHub Security Advisory: Use the Security Advisories tab to create a private report.

• Description of the vulnerability
• Steps to reproduce
• Potential impact
• Suggested fix (if any)

The following are considered valid security concerns:

• Data leaks in generated output — real PII, credentials, or company names appearing in patterns, model files, or generated wordlists when they should not be present.
• Hardcoded credentials — API keys, tokens, or passwords left in source code or configuration files.
• Injection in pattern engine — template injection or code execution through crafted input to pattern, corp-users, or other generation modules.
• ML model data exposure — sensitive data leaking through the trained model file (.model/pattern_model.json).
• Dependency vulnerabilities — known CVEs in direct dependencies listed in requirements.txt.

• Misuse of generated wordlists — this tool is designed for authorized penetration testing, red team exercises, and security research. Unauthorized use is the sole responsibility of the user.
• Brute-force effectiveness — reports that generated wordlists can crack passwords are expected behavior, not a vulnerability.
• Feature requests — use GitHub Issues for feature requests.

We follow coordinated disclosure practices:

1. Reporter submits vulnerability privately.
2. We acknowledge within 72 hours.
3. We work on a fix and coordinate disclosure timing with the reporter.
4. Fix is released and advisory is published.
5. Reporter is credited (unless they prefer anonymity).

Security reports are handled by André Henrique (@mrhenrike).