This is the documentation and deployment repository for Beacon. If you have found a vulnerability in the Beacon application itself (server or web), please report it against the relevant code repository:
Please do not report security issues through public GitHub. Issues are disabled on this repository.
Instead, contact the maintainers directly via the MeshCore Canada Discord server: MeshCore Canada Discord — reach out to dedskelly directly. Include as much detail as possible: the nature of the issue, steps to reproduce, and any potential impact.
We will acknowledge receipt within 48 hours and aim to provide a fix or mitigation within 14 days depending on severity.
Once a fix is released we will publish a security advisory on the relevant repository.
The Docker deployments in this repo expose db, redis, and app only on
127.0.0.1, with Caddy terminating TLS on ports 80/443. Beacon has no
authentication layer and is intended to sit behind that reverse proxy on a
trusted network. Keep this in mind when assessing the severity of any findings,
and never expose the database, Redis, or the raw app port to the public
internet.