NetWatch is a network diagnostics tool that typically runs with elevated privileges and parses hostile input (live packet captures) by design. Security reports are taken seriously and handled as the highest-priority work.
Please do not open a public issue for security problems.
- Preferred: GitHub private vulnerability reporting ("Report a vulnerability" under the Security tab).
- Alternatively: email matthew.t.hartley@gmail.com with
[netwatch security]in the subject.
You'll get an acknowledgement within 72 hours and a triage verdict within 7 days. Fixes for confirmed vulnerabilities ship as a patch release as soon as they're ready — NetWatch is independently maintained, so severe reports jump every queue. Please give us a reasonable window to ship a fix before public disclosure; we're happy to coordinate timing and will credit you in the advisory and release notes (or keep you anonymous, your call).
NetWatch is pre-1.0. Security fixes target the latest release only — please reproduce on the current version before reporting.
| Version | Supported |
|---|---|
| latest release | ✅ |
| anything older | ❌ upgrade first |
NetWatch's threat model assumes packets on the wire are attacker-controlled, and that the tool often runs as root. In rough priority order:
- Privilege escalation — anything that lets an unprivileged local user leverage NetWatch's elevated capture/eBPF privileges.
- Sandbox escape — on Linux, NetWatch applies a post-startup Landlock
sandbox; bypasses of it (or of
--sandbox-strict) are in scope. - Hostile-input handling — crashes, hangs, or memory unsafety in the packet, DPI, TLS/QUIC, DNS, or HTTP parsers when fed malicious traffic. (Parser panics on hostile input are security bugs here, not ordinary crashes — they're a remote DoS against a monitoring tool.)
- Sensitive-data mishandling — TLS session keys from a keylog file, captured payloads, or incident-bundle/flight-recorder exports ending up somewhere unexpected (world-readable files, logs, remote streaming).
- Daemon/remote mode — API-key handling and anything reachable from the
network when running
netwatch daemonwith--remoteor--metrics-addr.
Out of scope: vulnerabilities in dependencies with no NetWatch-specific exploit path (report upstream, though a heads-up is welcome), issues requiring an already-root attacker, and self-inflicted configurations (e.g. exposing the metrics endpoint to the internet deliberately).
- Run with the sandbox on (default).
--sandbox-strictrefuses to start if it can't be enforced. - Treat TLS keylog files and exported incident bundles as secrets — they can contain decrypted traffic.
netwatch daemonmetrics bind to127.0.0.1by default; keep it that way unless you have a reason not to.