Security

How to report a security vulnerability in Meshfleet, what's in scope, and what we promise about response times.

Reporting a vulnerability

Do not open a public GitHub issue for security vulnerabilities.

Email security@meshfleet.app (or john@meshfleet.app if the security inbox isn't set up yet). For sensitive reports you can also open a private GitHub security advisory.

Include:

  • Description of the vulnerability
  • Steps to reproduce
  • Affected versions
  • Your name / handle (optional, for credit)

We aim to acknowledge within 48 hours and ship a fix within 7 days for critical issues.

Supported versions

Security fixes are backported to the latest minor version. Older versions are not patched.

Version Supported Notes
0.8.x Latest series — full security support
0.7.x Critical fixes backported
0.6.x Critical fixes backported
0.3.x – 0.5.x ~ Best-effort; upgrade recommended
< 0.3 Unsupported

What we consider a security issue

What is NOT a security issue

Acknowledgments

Researchers who report valid issues get credited (with permission) in the release notes and a sponsor shoutout if you'd like. No paid bug bounty program yet — this is a small project.

Acknowledgments to our security model

Meshfleet is designed so that a compromised MCP server has the same power as the user running it. This is the same trust model as opencode run itself, the Claude Code CLI, or any other local AI agent. We don't try to sandbox agents — we give the user clear visibility into what agents are doing (the dashboard TUI, the event log) and let them decide.