docs: add security policy, transparency notes, and audit documentation

HelloPrincePal · HelloPrincePal · commit 02a70e4b575b · 2026-03-29T17:25:17.000+05:30
diff --git a/.github/SECURITY.md b/.github/SECURITY.md
@@ -0,0 +1,46 @@
+# 🛡️ Security Policy
+
+## Supported Versions
+
+DroidTether currently supports the following versions for security updates. We recommend always running the latest version available.
+
+| Version | Supported          |
+| ------- | ------------------ |
+| [Latest Release](https://github.com/HelloPrincePal/DroidTether/releases/latest) | :white_check_mark: |
+| v0.8.x  | :white_check_mark: |
+| < v0.8.0| :x:                |
+
+## Reporting a Vulnerability
+
+**Please do not report security vulnerabilities through public GitHub issues.** 
+
+If you discover a potential security vulnerability in DroidTether, please report it through one of the following channels:
+
+### 1. GitHub Private Vulnerability Reporting (Preferred)
+You can report vulnerabilities privately directly through the GitHub repository:
+1. Go to the [Security tab](https://github.com/HelloPrincePal/DroidTether/security/advisories) of the repository.
+2. Click on **Report a vulnerability**.
+3. Provide a detailed summary of the vulnerability, including steps to reproduce.
+
+### 2. Direct Contact
+If you prefer, you can reach out to the author privately via:
+- 🔗 **LinkedIn**: [Prince Pal](https://www.linkedin.com/in/theprincepal/)
+- 🤖 **Reddit**: [u/PrincePal_](https://www.reddit.com/user/PrincePal_/)
+
+---
+
+### What to Include in Your Report
+To help us triage and respond to your report as quickly as possible, please include:
+- A description of the vulnerability and its potential impact.
+- Step-by-step instructions to reproduce the issue (including proof-of-concept code, if possible).
+- The version of DroidTether, macOS, and Android being used.
+- Any relevant logs (e.g., `/var/log/droidtether.log`).
+
+### Our Commitment
+- We will acknowledge receipt of your report within **48 hours**.
+- We will keep you informed of our progress as we investigate and work on a fix.
+- We will provide public credit for your discovery (if you wish) once the vulnerability has been resolved.
+
+---
+
+Thank you for helping keep DroidTether and its users safe! 🚀
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
@@ -8,6 +8,8 @@ If you find a bug, please [open an issue](https://github.com/HelloPrincePal/Droi
 *   Your Android device model and OS version.
 *   Relevant logs from `/var/log/droidtether.log`.
 
+**⚠️ Important**: For security vulnerabilities, please do **NOT** open a public issue. See our [Security Policy](.github/SECURITY.md) for private reporting instructions.
+
 ### 2. Suggest a Feature ✨
 Have an idea for v1.0? Please open a feature request issue! We're particularly interested in testing with more Android device manufacturers.
 
diff --git a/PRIVACY.md b/PRIVACY.md
@@ -18,5 +18,10 @@ DroidTether has **no telemetry, no analytics, and no "call-home" features**. It
 
 ---
 
+### 📝 Audit & Transparency
+To ensure full trust, the entire core logic is implemented in less than **2,000 lines of Go code**. This makes it easy for any security researcher or user to audit the source code in a single afternoon. We believe transparency is the foundation of security.
+
+---
+
 ### Questions?
 If you have any questions about this Privacy Policy or how DroidTether handles your data, please open an issue in the [GitHub repository](https://github.com/HelloPrincePal/DroidTether).
diff --git a/README.md b/README.md
@@ -19,6 +19,17 @@ DroidTether is a lightweight userspace daemon that brings high-performance USB t
 
 ---
 
+## 🛡️ Transparency & Privacy
+DroidTether is built on a "local-only" model.
+- 📂 **100% Open Source**: Every line of code is available for audit in this repository.
+- 🚫 **No Telemetry**: No tracking, no analytics, and no "call-home" features. 
+- 🔒 **Local Connectivity**: All networking happens strictly between your Mac and your Android device. No external servers are involved in the packet relay process.
+- 🕵️ **Log Privacy**: Logs reside only on your local machine at `/var/log/droidtether.log` for debugging purposes.
+
+> 📝 **Audit Note**: The entire core logic of DroidTether is contained in less than **2,000 lines of Go code**, making it exceptionally easy to audit for security and transparency. We believe in simplicity and clear source code as the ultimate form of trust.
+
+---
+
 ## 🛠️ Verified Test Environment
 
 | Phone Name | Android Version | Host Name | OS Version | Results |
@@ -70,6 +81,16 @@ sudo ./build/droidtether
 
 ---
 
+## 🔑 Why `sudo` is Required?
+Because DroidTether operates at the system network level, it requires elevated privileges for specific operations:
+1. **Network Interface Management**: Creating and configuring the virtual `utun` interface on macOS is a kernel-restricted task.
+2. **Routing Table Injection**: Updating your Mac's routing table to prioritize the phone's internet connection requires superuser permissions.
+3. **Log Management**: Writing operational logs to `/var/log/droidtether.log` for system-wide transparency.
+
+*DroidTether performs these tasks purely in userspace—no persistent kernel extensions are installed.*
+
+---
+
 ## 📖 How to Use
 
 1. **Connect** your Android phone to your Mac via a USB-C cable.
@@ -154,4 +175,6 @@ Feel free to reach out or follow the project’s journey! 🚀
 MIT — © PrincePal
 
 ## 🤝 Contributing
-Found a bug? Have a feature request for v1.0? Please open an issue or submit a PR!
+Found a bug? Have a feature request for v1.0? Please open an issue or submit a PR! 
+
+**⚠️ Security**: For security vulnerabilities, please refer to our [Security Policy](.github/SECURITY.md) for private reporting instructions.
diff --git a/VERSIONS.md b/VERSIONS.md
@@ -10,6 +10,11 @@ v1.0.0 = MVP complete and working on M1/M2/M3.
 
 ---
 
+## v0.8.3 — 2026-03-29
+- Milestone: Transparency & Verification (The "Trust" Release)
+- What works: Added `.github/SECURITY.md` for private vulnerability reports. Enhanced `README.md` and `PRIVACY.md` with sections on **Why sudo is required**, **Audit Notes** (~2k lines of Go), and **Local-only connectivity**. Verified commit signing via SSH is now active.
+- Next: Finalize Homebrew Formula logic for `brew install` support.
+
 ## v0.8.2 — 2026-03-28
 - Milestone: One-Line Installer Stability (Production Ready)
 - What works: `install.sh` now correctly handles macOS "Error 5" launchctl bootstrap failures, initializes log files with correct permissions, and ensures `root:wheel` binary ownership. Fixed `ethType` dispatch logic in `relay.go` using an idiomatic tagged switch.
