Shannon security review - 2026-02-24

[Yeraze]

With all the fallout today from Huntarr's "disappearance", I wanted to be very clear with everyone that MeshMonitor is a 99+% "Vibe Coded" application using Claude Code. I do my best to keep it secure and stable, but it's mainly me overseeing Claude as he works.

To try and make this clear and allay any fears of the system:

• There is a new SECURITY.md file in the root of the repo covering this.
• I just dropped $50 on Anthropic credits to run a Shannon pentest against the https://meshmonitor.yeraze.com (on my internal network as https://mesh.yeraze.online). The results are in github on this branch: https://github.com/Yeraze/meshmonitor/tree/shannon_findings_2026-02-24/deliverables

The cliffnotes of the findings are Pretty Positive.

• In the Final Report, the only real finding was one of "Horizontal Authorization Bypass on Telemetry Endpoint", meaning they were able to load telemetry for a node without authentication. That's exactly how the system is configured right now, with the Info tab public for anonymous, so it's not a true findings.
• There are other findings in the Authz report that discuss how permissions are not granular to specific nodes, just to broad permissions.. Which again, is exactly how the system is designed so it's not a true finding.

If people find this useful I'll try to make it a regular thing, but please note that:

• I'm one guy.
• I'm not a security expert, although I have a little bit of knowledge and experience in the area.
• This isn't meant to be DOD level infrastructure, it's just a fun hobbyist project for a fun open-source community.