Security is our product,
not a feature.
When you build a zero-trust mesh network, security isn't something you bolt on after - it's the foundation. Every architectural decision we make starts with "how does this protect our users?"
Security by Design
End-to-End Encrypted
Built on WireGuard with ChaCha20-Poly1305 encryption. Keys rotate every 2 minutes. Even relay servers can't read your traffic.
Zero Knowledge Architecture
Private keys never leave your devices. The control plane distributes node info and ACLs but never has WireGuard keys.
Peer-to-Peer by Default
Direct device-to-device connections with automatic relay fallback. Existing tunnels stay up even if the coordination server goes down.
Device Authorization
Devices authenticate via a secure authorization flow or pre-shared node auth keys for headless environments. Auth requests are encrypted end-to-end.
Tag-Based ACLs
Control traffic between nodes using tag-based rules, not IP addresses. Directional rules with source and destination matching.
ISO 27001 (In Progress)
We are actively pursuing ISO 27001 certification to formalize our information security management practices.
Your Data, Your Control
We designed Baseguard so that we don't need to trust ourselves.
All mesh traffic is encrypted end-to-end with WireGuard. Your private keys are generated on your devices and never leave them. The control plane knows which devices are connected and distributes node information and ACLs, but it never has your WireGuard keys.
Traffic flows directly between peers. Even when a relay server is involved, it forwards encrypted WireGuard packets between nodes - it cannot read, modify, or inject data.
Your mesh network remains functional even if our coordination server has an outage. Once your devices exchange keys, they connect independently. No central chokepoint, no single point of failure.
Cryptography Stack
Security Controls
Comprehensive controls across infrastructure, data, application, and operations - continuously tested and audited.
Network & Infrastructure
- Production access requires business justification and authorization
- All infrastructure connections secured over Baseguard mesh
- Operations logged and audited for anomalous activity
- Multi-region deployment with geographic redundancy
- DDoS protection and intrusion detection systems
Data Security
- WireGuard encryption for all mesh traffic (data plane)
- NCP over Noise IK for control plane signaling
- ChaCha20-Poly1305 symmetric encryption, Curve25519 key exchange
- WireGuard keys rotate every 2 minutes for forward secrecy
- Private keys generated and stored on-device only
Application Security
- Mandatory peer review for all source code changes
- Automated SAST, DAST, and dependency scanning in CI/CD
- Regular third-party penetration testing
- Quarterly access permission reviews
- Security-focused QA before every release
Incident Response
- 24/7 monitoring with automated threat detection
- Documented response procedures with regular drills
- Root cause analysis and post-incident reviews
- Customer notification within 72 hours of confirmed breach
- Security bulletins published for all disclosed issues
Compliance & Certifications
We are actively building our compliance program and publish our security posture transparently. Our ISO 27001 certification process is underway - formalizing the controls and practices we already follow.
Frameworks & Standards
Our security program is built on established frameworks, adapted to the specific threat model of mesh networking infrastructure.
- NIST Cybersecurity Framework alignment
- CIS Controls implementation
- OWASP security best practices
- Zero Trust Architecture (NIST SP 800-207)
- Regular third-party penetration testing
- Annual independent security audits
Security Bulletins
We publish security bulletins to transparently disclose security issues in our products. View our full disclosure history including affected versions and remediation steps.
Security FAQ
Can Baseguard see my network traffic?
No. All mesh traffic is end-to-end encrypted with WireGuard. Your private keys never leave your devices. The control plane distributes node info and ACLs but never has WireGuard keys. Even relay servers only forward encrypted packets - they cannot read, modify, or inject data.
What happens if Baseguard goes down?
Existing peer-to-peer tunnels stay up. The coordination server is needed for signaling and establishing new connections, but once two devices have a tunnel, they communicate independently. If the connection drops, clients reconnect and receive a fresh sync automatically.
How do you handle vulnerability reports?
We acknowledge reports within 24 hours and provide an initial assessment within 72 hours. We follow responsible disclosure practices and publish security bulletins for all confirmed issues. Reporters receive credit if desired.
What certifications does Baseguard have?
We are currently pursuing ISO 27001 certification. Our security program is built on established frameworks including NIST CSF and CIS Controls. Contact security@baseguard.net for details on our security posture.
Do you have a bug bounty program?
We do not currently operate a formal bug bounty program, but we welcome responsible disclosure and will work with researchers under our safe harbor policy. Report vulnerabilities to security@baseguard.net.
Vulnerability Disclosure
Found something? Let's fix it together.
We take every report seriously. When you discover a vulnerability, reach out to security@baseguard.net with a detailed description, reproduction steps, and impact assessment.
We operate under a safe harbor policy - we will not pursue legal action against researchers who act in good faith, respect user privacy, and give us reasonable time to respond.
What We Ask
Our Commitment
< 24h acknowledgement
< 72h initial assessment
Credit for reporters who want it