| Version | Supported |
|---|---|
| main | ✅ |
| < 0.6.0 | ❌ |
Do NOT open a public issue for security vulnerabilities.
Instead, please report via one of:
- GitHub Security Advisories: https://github.com/igorls/meshguard/security/advisories/new
- Email: Contact the maintainer directly
- Description of the vulnerability
- Steps to reproduce
- Affected versions
- Potential impact
- Acknowledgment: within 48 hours
- Initial assessment: within 7 days
- Fix timeline: depends on severity (critical: 7 days, medium: 30 days)
- ChaCha20-Poly1305 encryption (WireGuard-compatible)
- Ed25519 identity keys
- Noise_IKpsk2 handshake with anti-replay
- Decentralized trust (no central authority)
- Org PKI for fleet trust
- Key rotation every 120 seconds
- RX cryptokey routing: decrypted packets must carry an inner source IP belonging to the sending peer
- Authenticated org control plane: revoke/alias/vouch messages require a verified org Ed25519 signature
- Confirmed failure detection: gossiped death only suspects a peer locally; eviction requires our own probe to fail
- Inbound-handshake rate limiting: per-source + global token bucket before the X25519
See docs/concepts/security.md for full security model documentation.