Skip to content

Security Policy

Supported Versions

Version Supported
0.5.x Yes

Only the latest release receives security updates. Older versions are not patched.

Reporting Vulnerabilities

Do not open a public issue for security vulnerabilities.

Instead, send an email to the project maintainers with the following information:

  • Subject: [SECURITY] <brief description>
  • Description: What the vulnerability is and how it can be exploited.
  • Steps to reproduce: Minimal steps to trigger the issue.
  • Impact: What an attacker could achieve (e.g., unauthorized hardware control, data access).
  • Suggested fix (optional): If you have a proposed remediation.

Response Timeline

Stage Target
Acknowledgment Within 48 hours
Initial assessment Within 1 week
Fix development Within 2 weeks for critical issues
Disclosure Coordinated with reporter after fix is released

We will work with you to understand the issue and develop a fix before any public disclosure. Credit will be given to reporters unless they prefer to remain anonymous.

Security Considerations for Ground Station Operators

TALOS controls physical hardware (antenna rotators and radio receivers) over a network. Operators should be aware of the following:

Network Security

  • Never expose the MQTT broker to the public internet without TLS and authentication. An unauthenticated MQTT connection allows anyone to send commands to rotators and receivers.
  • Use a VPN or private network between the control server and ground station hardware.
  • The PostgreSQL database port should not be exposed outside the Docker network.

Credential Management

  • Generate unique, strong values for SECRET_KEY, MQTT_PASS, and POSTGRES_PASSWORD.
  • Store credentials in the .env file, which is gitignored. Never commit secrets to version control.
  • Rotate credentials periodically, especially SECRET_KEY (which invalidates all active sessions).

Agent Deployment

  • Run the agent with minimal system privileges on station hardware.
  • Verify that rotctld and rigctld are bound to localhost only, not to 0.0.0.0.
  • If possible, use a hardware watchdog or systemd watchdog to restart the agent on failure.
  • Do not allow the agent to accept rotator/rig addresses from MQTT; configure them locally.

Physical Safety

  • Antenna rotators can cause physical harm if commanded to move unexpectedly. Ensure mechanical stops and limit switches are properly configured.
  • Implement elevation limits in the rotator controller to prevent antenna damage.
  • Consider a physical emergency stop switch accessible at the station site.

Security Hardening (v0.5.3)

The following security improvements were shipped in v0.5.3 based on an independent code review:

  • Thread safety: threading.Lock added to Director globals and stream router UDP socket to prevent race conditions
  • CORS headers: Restricted from wildcard ["*"] to explicit allowlist (Content-Type, Authorization, X-Requested-With)
  • Rate limiting: Extended to all endpoint categories -- admin (30/min), public API (60/min), campaign creation (20/min)
  • Proxy-aware rate limiter: Reads X-Forwarded-For first hop instead of raw remote address
  • Input sanitization: HTML tag stripping on all user-controlled text fields (org name, description, campaign name, join request message)
  • Auth hardening: Magic link URL removed from logs, startup guard added, uniform login response prevents account enumeration
  • Session cookie: path="/" attribute added to /auth/verify
  • Geographic validation: Station coordinates constrained to valid ranges (lat: -90..90, lon: -180..180, alt: -500..20000m)

Known Security Limitations

The following items are documented in the roadmap and are being addressed:

  • Station API keys are stored in plaintext (bcrypt hashing planned for v0.6.0)
  • Dockerfiles run as root (non-root USER directive planned for v0.6.0)
  • No SBOM generation in CI (planned for v0.6.0)
  • Dependency hashes not pinned via pip-compile --generate-hashes (deferred due to platform-specific builds)
  • Server-side session store not yet implemented (Redis/DB-backed, planned for v0.6.0)

See docs/research/02-security-review.md and docs/research/07-code-review-2026-04.md for the full security assessments.