If you discover a security vulnerability in Iskander, please report it responsibly.

Do NOT open a public GitHub issue for security vulnerabilities once Iskander is in operational use.

Include:

• Description of the vulnerability
• Steps to reproduce
• Potential impact
• Suggested fix (if you have one)

We will acknowledge receipt within 48 hours and provide an initial assessment within 7 days.

Iskander is designed for deployment on the open internet. The security architecture includes:

• Cloudflare Tunnel (default): Zero open ports, outbound-only connections
• Headscale mesh: Encrypted WireGuard tunnels for inter-cooperative federation
• K3s network policies: Internal service isolation

• Authentik SSO: Single identity provider for all services
• Vaultwarden: Encrypted credential storage for cooperative secrets
• TLS everywhere: All inter-service communication encrypted

• MACI ZK voting: Individual votes are never disclosed
• Soulbound Tokens: Non-transferable membership credentials
• IPFS content addressing: Tamper-evident decision records

• Beszel monitoring: Service health and anomaly detection
• Backrest/Restic: Encrypted backups with point-in-time recovery
• Non-root containers: Minimal privilege execution

Iskander assumes:

• The server operator is trusted but should not be able to alter decision records
• Individual member votes must be private even from administrators
• External attackers should not be able to determine cooperative membership or activities
• Inter-cooperative federation traffic must be encrypted end-to-end

See docs/plan.md for the full security architecture.