Security Policy

The canonical security policy lives at SECURITY.md in the repo root. It documents:

  • What Genesis Mesh defends against (in scope)

  • What Genesis Mesh does not defend against (out of scope)

  • How to report a vulnerability privately

  • Supported versions

This page covers only the development-side expectations for writing and reviewing security-sensitive changes.

Reviewing a Security Change

A security change should:

  • include a test that fails without the fix and passes with it

  • avoid unrelated refactors

  • update the relevant docs in the same change if it touches a trust boundary or operational procedure

Areas Requiring Careful Review

Pay extra attention to changes that touch:

  • private key handling

  • signature verification

  • canonical JSON signing payloads

  • invite-token enrollment

  • certificate renewal and revocation

  • peer handshake authentication

  • replay protection

  • deployment secret handling

Reporting

Open a draft advisory at github.com/GenesisMeshLabs/genesismesh/security/advisories/new. See SECURITY.md for the full reporting process, acknowledgement timeline, and remediation expectations.