This is a downstream fork maintained by The Official Mesh Admin (<officialmeshadmin@proton.me>). Vulnerabilities in this fork's private-port modifications (ports 350–365) and other fork-specific changes should be reported per the policy below. Vulnerabilities in code paths inherited unmodified from upstream meshtastic/Meshtastic-Android should be reported upstream — this fork does not triage upstream's surface beyond rolling forward when upstream patches.

• Bugs in the private-port (350–365) wire handling: parser errors, authentication bypass, memory safety in fork-introduced code.
• Privacy regressions when the app is paired with the Official Mesh Firmware — e.g., the app leaks identity in a way the firmware was configured to suppress.
• Cryptographic bugs in fork-specific surfaces.

If you're not sure whether something qualifies, report it.

Report privately. Two acceptable channels:

1. GitHub private vulnerability reporting (preferred) — on the repo's Security tab at github.com/official-mesh, click "Report a vulnerability."
2. Email. Send to the contact address listed on the maintainer's GitHub profile (github.com/officialmeshadmin), with subject prefix [OM-Android Security]. Encrypt with the maintainer's published PGP key if the report is sensitive — fingerprint 9A18 814D 74A6 3138 9F95 6EA0 5F8D 7A5E ED20 3343, full key in KEYS at the repo root or fetchable from hkps://keys.openpgp.org.

Please do not open public issues for unpatched security vulnerabilities, especially privacy-relevant ones — exploitation could have real-world consequences for users running the affected client.

Default target: 90 days from initial report to public disclosure or patch, whichever comes first. The fork is maintained by one person, so reaching this target is sometimes slower in practice. If you have a hard timeline, say so in the report.

The fork tracks the most recent upstream release plus the development branch. Older versions of this fork are not maintained — fork and patch if you need that, per AGPL/GPL.