If you discover a security vulnerability in peat-mesh, please report it responsibly. Do not open a public GitHub issue for security vulnerabilities.
You have two options:
- Email: Send a detailed report to security@defenseunicorns.com
- GitHub Security Advisories: Use the private vulnerability reporting feature on this repository
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if any)
- Acknowledgment: Within 3 business days
- Initial assessment: Within 10 business days
- Fix timeline: Dependent on severity
- We will acknowledge reporters in the remediation PR (unless anonymity is requested)
- We follow coordinated disclosure practices
- We aim to release patches before public disclosure
| Version | Supported |
|---|---|
| latest | Yes |
peat-mesh is a P2P mesh networking library. The following areas are particularly security-sensitive:
- Mesh networking: Peer discovery, topology management, and message routing
- QUIC transport: TLS configuration, connection establishment, and stream multiplexing
- Certificate enrollment: Identity issuance, validation, and chain-of-trust verification
- CRDT sync: Conflict-free replicated data type synchronization and state convergence
When integrating peat-mesh, follow these practices:
- Validate peer identities before accepting connections
- Use the provided certificate enrollment flow rather than manual certificate management
- Keep dependencies up to date
- Monitor QUIC transport configurations for secure defaults