The TacticalMesh team takes security vulnerabilities seriously. We appreciate your efforts to responsibly disclose your findings.
Preferred Method: Use GitHub Security Advisories to report vulnerabilities privately.
Alternative: Email security concerns to the repository maintainers via the contact information in the repository.
When reporting a vulnerability, please include:
- Description of the vulnerability
- Steps to reproduce the issue
- Affected versions if known
- Potential impact of the vulnerability
- Suggested remediation if you have one
- Acknowledgment: Within 72 hours
- Initial assessment: Within 7 days
- Status updates: Every 14 days until resolved
TacticalMesh is open-source, unclassified software designed as general-purpose networking infrastructure:
Important
No Warranty. This software is provided "AS IS" without warranty of any kind. See the Apache 2.0 License for details.
Caution
No Accreditation. TacticalMesh has NOT received any government security accreditation, Authority to Operate (ATO), or certification. Organizations deploying this software in government or defense environments are solely responsible for obtaining necessary authorizations.
| Feature | Implementation Status |
|---|---|
| Transport Encryption | ✅ HTTPS/TLS (standard libraries) |
| Authentication | ✅ JWT tokens with configurable expiration |
| Authorization | ✅ Role-based access control (Admin, Operator, Observer) |
| Audit Logging | ✅ Timestamped logs of all significant actions |
| Password Storage | ✅ bcrypt hashing |
| Input Validation | ✅ Pydantic schema validation |
| Rate Limiting | ✅ 5/min login, 10/min registration |
| Account Lockout | ✅ 15-minute lockout after 5 failed attempts |
| Password Complexity | ✅ Requires uppercase, lowercase, digit, special char |
| Forced Password Change | ✅ Default admin must change password on first login |
| Mesh Routing TTL | ✅ Hop limits prevent routing loops (default 5 hops) |
| Mesh Path Tracing | ✅ Full relay path logged for audit |
This project explicitly does NOT include:
- ❌ Cryptographic implementations beyond standard TLS
- ❌ Classified algorithms or data handling
- ❌ Hardware security module (HSM) integration
- ❌ FIPS-validated cryptography
- ❌ Export-controlled technology
Organizations deploying TacticalMesh are responsible for:
- Obtaining any required security authorizations (ATO, IL certifications, etc.)
- Conducting their own security assessments
- Ensuring compliance with applicable laws and regulations
- Export control due diligence (see
docs/compliance-and-export-notes.md)
| Version | Supported |
|---|---|
| 0.1.x | ✅ Active development |
| < 0.1 | ❌ Not supported |
When deploying TacticalMesh:
- Change default credentials immediately after initial setup
- Use HTTPS for all controller communications
- Restrict network access to the controller using firewalls
- Review audit logs regularly for suspicious activity
- Keep dependencies updated via Dependabot or manual review
- Run in isolated environments with minimal privileges
We thank the security research community for helping improve this project. Responsible disclosure of vulnerabilities is greatly appreciated.