Responsible disclosure

Tell us if something is wrong. Quickly.

Beacons runs a public vulnerability disclosure program. We acknowledge reports within 24 hours, triage within 72, and publish post-incident write-ups when the fix ships.

Where to send

Email security@beacons.sh — PGP key fingerprint 4E63 ABA1 F0F8 7C45 6CDE 9A12 03B4 F921 AE10 7BC4.

Scope

  • The hosted control plane (console.beacons.sh, api.beacons.sh)
  • The bcn CLI and beacons-agent daemon (across all supported targets)
  • The SDKs in every supported language
  • The official desktop / mobile / browser apps
  • The conformance test vectors and reference implementation

Out of scope

  • Customer-owned self-hosted deployments (report to the operator)
  • Third-party services (cellular providers, IdPs) — report upstream

Rewards

The bug bounty program runs through a shared L1fe AI bounty pool. Severity is scored against CVSS 3.1 with a small subjective bonus for clean, well-written reports.

Open a fleet

The mesh that fits agents and humans.

A `did:oas`-rooted private mesh that ships peer configurations to any device, anywhere, by policy — not by hand.

Open consoleRead the quickstart