| Version | Supported |
|---|---|
| 0.1.x | ✅ |
We take security seriously at Pegasus Heavy Industries. If you discover a security vulnerability in CoreVPN, please report it responsibly.
DO NOT create a public GitHub issue for critical security vulnerabilities.
Instead, please email: security@pegasusheavyindustries.com
Include:
- A description of the vulnerability
- Steps to reproduce the issue
- Potential impact assessment
- Any suggested fixes (if available)
- Acknowledgment: We will acknowledge receipt within 48 hours
- Initial Assessment: We will provide an initial assessment within 7 days
- Resolution Timeline: We aim to resolve critical issues within 30 days
- Credit: We will credit you in our security advisory (unless you prefer anonymity)
For lower-severity security issues that can be discussed publicly, you may use our Security Issue Template.
When deploying CoreVPN:
For maximum privacy, enable ghost mode to disable all connection logging:
corevpn-server run --ghost --config /etc/corevpn/config.tomlOr in config.toml:
[logging]
connection_mode = "none"- Always use TLS 1.3 (
tls_min_version = "1.3") - Enable
tls_authortls_cryptfor additional protection - Use strong cipher suites (
chacha20-poly1305oraes-256-gcm)
- Use short-lived client certificates (
client_cert_lifetime_days = 30) - Regularly rotate the CA certificate
- Store private keys with restrictive permissions (0600)
- Run the server behind a firewall
- Use network policies in Kubernetes
- Consider using a separate network namespace
- Never commit secrets to version control
- Use environment variables or secret management tools
- Rotate the admin password regularly
CoreVPN includes several security features:
- Zero-Knowledge Mode: Ghost mode leaves no connection traces
- Anonymization: Hash IPs, usernames, and timestamps in logs
- Secure Deletion: 3-pass overwrite before log deletion
- Memory Safety: Written in Rust with no unsafe code in core paths
- Modern Cryptography: TLS 1.3, ChaCha20-Poly1305, Ed25519
We follow coordinated disclosure practices:
- Researcher reports vulnerability privately
- We acknowledge and assess the issue
- We develop and test a fix
- We release the fix and publish a security advisory
- Researcher may publish their findings after the fix is released
We currently do not have a formal bug bounty program, but we appreciate security research and will acknowledge contributors in our security advisories.
- Security issues: security@pegasusheavyindustries.com
- General questions: support@pegasusheavyindustries.com
- PGP Key: Available upon request