What the platform does
- Samples are never executed. KE identifies, stores, and runs static extractors only — headless IDA, plus Python/Node. No sample is run as a program.
- Extractors are isolated processes with a manifest-in / files-out contract; IDA runs in batch mode. Run workers on hosts and networks scoped for untrusted-binary analysis.
- Downloads return raw bytes verbatim (
GET /objects/{sha256}/content). The API does not defang or wrap samples — handle them safely once they leave the platform.
Operator responsibilities
- Restrict access. The corpus REST API has no built-in authorization yet — deploy it behind your own access controls on a trusted network. Git transport via Gitea is per-user authenticated over HTTPS.
- Isolate the analysis environment (network egress, worker-host sandboxing) appropriate to handling live malware.
- Mind retention and sharing. Bytes remain reachable by hash after a location is deleted; plan retention and access accordingly.
Known gaps (roadmap)
Encrypted/defanged storage and download wrapping (e.g. password-protected archives),
API authentication/authorization, and download/audit logging are not yet implemented.
Compensate with deployment controls until they ship.
Report security issues privately via the repository's private vulnerability reporting or the internal Hex-Rays security channel — not a public issue.