Petacomm Petacomm
Use Cases Support GitHub LinkedIn All Petacomm
petacomm.io Security

Security at
every layer

Petacomm is built with security as a foundational principle — not an afterthought. From kernel-level hardening to long-term CVE patching, we take responsibility for the entire attack surface so your teams do not have to.

Security Overview Report a Vulnerability ›
Security Advisory PSA-2026-004 — libssl patch available for all supported versions. Read the advisory
5 yr Security Maintenance
24 h Critical Patch SLA
100% CVEs Disclosed
FIPS 140-2 Compliant

Security is a
shared responsibility

We secure the platform. You control the perimeter.

Petacomm maintains full security oversight for every component we ship — from the core daemon to third-party library dependencies. Our security team operates a continuous monitoring pipeline, triages every incoming vulnerability report within 24 hours, and publishes transparent advisories for any issue that affects production systems.

We follow the principles of least privilege, defence in depth, and zero-trust architecture across all Petacomm products. Every binary we release is signed, reproducible, and auditable.

  • All releases signed with GPG keys — verifiable against published fingerprints
  • Reproducible builds — byte-identical artifacts from tagged source commits
  • Dependency lockfiles and SBOM published for every release
  • Continuous static analysis and fuzzing in CI/CD pipeline
  • Third-party penetration testing conducted annually
Security Whitepaper Download SBOM ›

Security-first architecture

Every Petacomm component is developed under a secure software development lifecycle (SSDLC). Threat modelling is conducted at the design phase, not the review phase. We treat security findings as first-class bugs with mandatory SLA targets.

Read our SSDLC documentation ›

Responsible disclosure

We operate a coordinated vulnerability disclosure programme. Researchers who report valid security issues in good faith are credited in our advisories and protected from legal action under our safe harbour policy.

View disclosure policy ›
Platform Security

Defence in depth
at every layer

Multiple independent security controls working together.

Security is not a single feature — it is the sum of dozens of independent controls, each designed to limit the blast radius of any single failure. Petacomm implements overlapping defences so that a weakness in one layer is contained by the next.

  • Minimal attack surface — every feature disabled by default
  • Strict process isolation — each component runs in its own context
  • Mandatory access control compatible with SELinux and AppArmor
  • Encrypted inter-process communication via Unix sockets with auth tokens
  • Immutable configuration at runtime — changes require explicit reload
  • Structured audit log for every privileged operation
Architecture Docs Contact Security Team ›
Process Isolation
Each daemon runs under a dedicated service account with minimal filesystem access. No shared credentials between components.
Encrypted at Rest
Sensitive configuration data, tokens and credentials stored with AES-256 encryption. Keys never written to disk in plaintext.
Signed Releases
Every binary and package is signed with a GPG key held in hardware security modules. Signatures verified on install by default.
Audit Log
Tamper-evident structured log of every privileged action. Exportable to SIEM, ELK Stack and Splunk in real time.
SLA-Backed Patching
Critical vulnerabilities patched within 24 hours. High severity within 7 days. Patch timelines published and tracked publicly.
Reproducible Builds
Any release can be rebuilt from tagged source to produce byte-identical artifacts. Independently verifiable by the community.
CVE Management

Proactive vulnerability management

We track every dependency, not just our own code.

Our security engineering team operates a continuous CVE monitoring pipeline that covers Petacomm's own codebase and every upstream dependency — including the C standard library, compression libraries, cryptographic backends and language runtimes.

When a vulnerability is identified, triage begins immediately. Patches are prepared, tested across all supported distribution versions, and released according to severity-tiered SLA commitments — all before public disclosure where possible.

  • CVE monitoring for 200+ tracked upstream packages
  • Automated dependency graph updated on every upstream release
  • Critical patches within 24 hours of confirmed severity
  • High severity patches within 7 calendar days
  • Advance notice to enterprise customers 48 hours before public release
  • CVSS scoring and exploitability context in every advisory
View All Advisories Subscribe to Alerts ›
petaguard — CVE scan
# Dependency vulnerability scan
user@server:~$ peta security scan

Scanning 247 packages...

CRITICAL CVE-2026-1234 libssl 3.0.8
Fix available: 3.0.9 CVSS 9.1
HIGH CVE-2026-0891 zlib 1.2.13
Fix available: 1.3.0 CVSS 7.5
INFO CVE-2025-8801 curl 8.4.0
No fix yet. CVSS 3.2 (low)

user@server:~$ peta security patch --auto
libssl patched: 3.0.8 → 3.0.9
zlib patched: 1.2.13 → 1.3.0
2 vulnerabilities resolved. Audit log updated.

user@server:~$
Patch Response Time vs Industry Average
Petacomm
24 h
Industry avg.
~14 d
Open source avg.
~30 d
System Hardening

Hardened by default

CIS benchmarks and DISA/STIG profiles — applied automatically.

Petacomm ships with a curated set of hardening defaults that align with CIS Level 2 benchmarks and DISA STIG requirements for Linux systems. No manual configuration required — secure defaults are applied at install time and enforced at runtime.

  • CIS Level 1 and Level 2 profile support
  • DISA STIG RHEL / Ubuntu hardening guide compliance
  • SSH configuration hardening — disable root login, enforce key auth
  • Kernel parameter hardening via sysctl (ASLR, SYN cookies, IP forwarding)
  • Automatic removal of unnecessary setuid/setgid binaries
  • Filesystem mount options enforced (noexec, nosuid, nodev)
  • Core dumps disabled by default in production mode
  • Auditd rules pre-configured for compliance reporting
Hardening Guide Download CIS Profile ›

Zero-configuration hardening

Run peta harden --profile cis-level2 to apply the full CIS Level 2 benchmark to your system. Each change is recorded in the audit log and is reversible with peta harden --rollback.

View all hardening profiles ›
Default Hardening Coverage
CIS Level 1
100%
CIS Level 2
94%
DISA STIG
88%
NIST 800-53
79%
Compliance

Compliance frameworks supported

Audit-ready reporting across major regulatory standards.

Petacomm generates structured compliance reports aligned with major regulatory and security frameworks. Whether you operate in a regulated industry or pursue a security certification, our tooling reduces audit preparation time from weeks to hours.

  • SOC 2 Type II — continuous control evidence collection
  • ISO 27001 — Annex A control mapping and gap analysis
  • PCI DSS v4.0 — cardholder data environment hardening
  • HIPAA — technical safeguard verification and reporting
  • FedRAMP — moderate baseline control implementation
  • GDPR — data residency controls and processing records
Compliance Docs Request Audit Package ›
SOC 2
Type II continuous evidence
ISO 27001
Annex A control mapping
PCI DSS
v4.0 CHD environment
HIPAA
Technical safeguards
FedRAMP
Moderate baseline
GDPR
Data residency controls
DISA STIG
88% automated coverage
NIST 800-53
Control family coverage
Cryptography

FIPS 140-2 compliant cryptography

Validated cryptographic modules for regulated environments.

For organizations operating in government, defence or regulated financial environments, Petacomm supports FIPS 140-2 validated cryptographic modules. All cryptographic operations — key generation, storage, and transport — run through the validated module boundary when FIPS mode is enabled.

  • FIPS 140-2 mode enabled with a single configuration flag
  • TLS 1.3 with FIPS-approved cipher suites only
  • AES-256-GCM for data at rest — no legacy algorithms permitted
  • RSA-4096 and ECDSA P-384 for asymmetric operations
  • Hardware Security Module (HSM) integration supported
  • Key rotation policy enforcement with configurable intervals
FIPS Configuration Guide Contact Us ›

Enabling FIPS mode

Enable FIPS 140-2 compliant mode across all Petacomm components with a single command. The system validates module integrity at startup and refuses to proceed if any cryptographic component fails its self-test.

View cryptographic architecture ›
# Enable FIPS 140-2 mode
$ sudo peta configure --fips-mode enable
FIPS module integrity verified
Legacy algorithms disabled (MD5, SHA-1, RC4)
TLS minimum version set to 1.3
Key length minimum set to 256-bit
# Restart required for FIPS mode to take effect
$ sudo peta restart --all
All services running in FIPS 140-2 compliant mode

Recent Security Advisories

All Petacomm security advisories are published here and via our mailing list.

View All Advisories Subscribe
Advisory ID Component Description Severity Status Published
PSA-2026-004 libssl 3.0.8 Buffer overflow in TLS handshake record parsing allows remote code execution. Critical Patched — 3.0.9 2026-04-28
PSA-2026-003 peta-daemon Privilege escalation via symlink race condition in temporary file handling. High Patched — v3.4.2 2026-03-15
PSA-2026-002 GateBell Insufficient input validation in webhook URL parsing allows SSRF in restricted networks. Medium Patched — v1.0.3 2026-02-07
PSA-2026-001 PetaSync Backup metadata exposed in world-readable log file on default installation. Low Patched — v2.1.1 2026-01-22
PSA-2025-009 peta-monitor Unauthenticated metrics endpoint reachable on loopback interface when firewall disabled. Medium Patched — v3.3.5 2025-11-30
Responsible Disclosure

Report a vulnerability

We welcome responsible disclosure from the security research community.

If you have identified a security vulnerability in any Petacomm product or service, we ask that you report it to us before public disclosure. We commit to acknowledging your report within 24 hours and to treating your disclosure in good faith.

Researchers who report valid security issues are credited in our advisories by name or alias as preferred. Our safe harbour policy protects researchers acting in good faith from legal action.

Contact
[email protected]
PGP key available at keys.petacomm.io
Submit a Report

Disclosure process

1
Submit your report
Send details to [email protected] with steps to reproduce, affected versions, and impact assessment. PGP-encrypted submissions are preferred for sensitive disclosures.
Any time
2
Acknowledgement
Our security team acknowledges receipt and confirms the report is under review. We assign an internal tracking number and provide a primary point of contact.
SLA: 24 hours
3
Triage and severity assessment
We reproduce the issue, assess CVSS severity, and determine affected versions. You are kept informed of our findings throughout this stage.
SLA: 5 business days
4
Patch development and review
A fix is developed, reviewed by a second engineer, and tested across all supported platform versions. We coordinate a disclosure date with the reporter.
24 h (Critical) / 7 d (High)
5
Public disclosure and credit
The patch is released simultaneously with a public advisory. The reporter is credited by name or alias as preferred. Enterprise customers receive 48 hours advance notice.
CVE assigned if applicable

Global cloud and infrastructure service providers we rely on.

Petacomm security tooling is deployed across leading cloud and hosting infrastructure providers.

Cloudflare Contabo Amazon Web Services

Speak to our security team

Whether you are evaluating Petacomm for a regulated environment, need a custom compliance report, or want to discuss enterprise security requirements — our team is ready to assist.

Contact Security Team Report a Vulnerability