This project is under active development and does not currently maintain multiple supported release lines.

Security fixes, when possible, are applied to the current development version in the default branch.

Please do not report security vulnerabilities through public GitHub issues.

If you believe you have found a security issue, please report it privately to the maintainer and include as much of the following as possible:

• affected component or file
• dependency name and version, if relevant
• environment details
  • OS
  • Python version
  • deployment style such as local laptop, field node, VM, or test environment
• steps to reproduce
• expected behavior
• actual behavior
• logs, stack traces, screenshots, or packet samples if safe to share
• whether the issue requires local access, LAN access, radio access, or remote network access

Examples of issues worth reporting:

• remote code execution
• command injection
• path traversal
• credential or token leakage
• unsafe deserialization
• unauthenticated control of adapters or GUI endpoints
• denial of service caused by malformed network or radio input
• dependency vulnerabilities with realistic impact on this project

Please allow reasonable time for investigation and remediation before any public disclosure.

Because this is an actively evolving field/hobby project, response time may vary. The goal is to acknowledge valid reports, reproduce the issue, assess impact, and apply a fix or mitigation when feasible.

This repository includes:

• network-facing adapters
• local GUI and control surfaces
• protocol parsers for APRS, SARTrack, Meshtastic, and CoT-related paths

When reporting an issue, it is especially helpful to describe whether the issue affects:

• input parsing
• routing logic
• adapter connection management
• configuration handling
• local operator panel behavior
• third-party dependencies

This repository is prepared for GitHub dependency monitoring and Dependabot-based checks.

Dependency-related reports are still welcome, especially if:

• a vulnerable package is in active use by the project
• the impact is reachable in real gateway workflows
• the issue affects a transitive dependency that may not be obvious from requirements.txt