CodeGuard is a security tool. Vulnerabilities — particularly in the gate, honeypot, dashboard auth, or grant-jail code — directly affect operators' production servers. We take reports seriously.
Please do not file a public GitHub issue.
Email george@orcca.cloud with:
- A short description of the issue
- Reproduction steps (a
codeguard doctoroutput snapshot helps) - The CodeGuard version (
codeguard version) and OS / kernel / sshd version - Your proposed fix, if you have one
- (Optional) a PGP key you'd like a response encrypted to
You'll get a human acknowledgement within 72 hours. If you don't,
ping @GeorgeBigh on GitHub with a one-line "I emailed about a CVE,
please check" — no details — and I'll surface it.
In scope (please report):
- Auth bypass on
codeguard verify/gate/sftp-gate/exec-gate - Honeypot escape (commands that break out of the fake shell)
- Grant-user jail escape (any way
cg_*users see outside their--path) - Dashboard auth bypass (cookie forgery, brute force gaps, CSRF, XSS, SSRF on webhook URLs)
- WebAuthn signature verification flaws (cloned-authenticator detection, replay, origin spoofing)
- Information disclosure through error messages or timing
- Telegram bot impersonation / callback-token spoofing
- Privilege escalation via sudoers rule, setuid bwrap, or the
record-grant/grant-session-alertwrappers - Anything that causes a permanent lockout from a working install
Out of scope (please don't):
- Anything that requires already having root on the box
- Tailscale SSH bypassing CodeGuard (documented limitation)
- Brute-forcing the operator's secret offline if you somehow obtained
config.json; the scrypt cost is published — that's working as designed - The fact that
/usr/binis visible inside the grant jail; tightening this is roadmap (v1.3 —--path--strict)
| Stage | Timeline |
|---|---|
| Acknowledgement | ≤ 72 hours |
| Initial assessment + severity rating | ≤ 7 days |
| Fix + coordinated release | severity-dependent; critical issues within 14 days where feasible |
| Public disclosure | after a fix ships; reporters credited in CHANGELOG.md unless they ask not to be |
CodeGuard is a single-maintainer project. I'll be honest about timelines if a fix needs more than 14 days.
Reporters who responsibly disclose will be credited here once we have the first one. If you want to be the first, see above.