docs: overhaul security posture and add code of conduct

This commit drastically improves the Transparency and Security Posture documentation
and adds a strict Code of Conduct to protect maintainer privacy.
Resolves #2

Author: HelloPrincePal

.github/SECURITY.md

@@ -1,8 +1,27 @@
 # 🛡️ Security Policy
 
+## Security Philosophy
+DroidTether operates natively in userspace and touches sensitive system network configuration aspects (specifically `utun` virtualization and OS-level routing tables). Because of this necessary privilege escalation (`sudo`), security and data sovereignty are our absolute top priorities.
+
+We rely on a minimalist, auditable, Go-based codebase. We treat all security issues, especially those concerning the parsing of USB protocol packets (RNDIS) and arbitrary code execution vectors, with the highest urgency.
+
+## Threat Model & Scope
+
+We encourage security researchers to focus on the following high-priority vectors:
+- **Packet Parsing Engine**: Buffer overflows, memory leaks, or execution vectors resulting from malicious RNDIS sequences passed back from the USB device.
+- **Privilege Escalation**: Mechanisms that trick the daemon into writing arbitrary data outside of `/var/log/droidtether.log` or altering system states beyond the `utun` interface routing table.
+- **Data Leakage**: Scenarios where local packets are improperly broadcast, logged in plaintext, or forwarded inappropriately.
+
+### 🚫 Out of Scope
+The following are universally out of scope for our security reporting:
+- **Physical Device Compromise**: If an attacker already has physical access to your unlocked Mac or Android device.
+- **Upstream Toolchain Vulnerabilities**: Issues stemming exclusively from core `libusb` or the Go compiler (these should be reported to their respective security teams).
+- **Social Engineering / Phishing**: Tricking a user into downloading a malicious, unsigned version of DroidTether.
+- **Denial of Service (DoS)**: Overloading the daemon by repeatedly plugging/unplugging devices is considered a stability issue, not a highly critical security failure unless it results in persistent kernel lockups.
+
 ## Supported Versions
 
-DroidTether currently supports the following versions for security updates. We recommend always running the latest version available.
+DroidTether currently supports the following versions for security updates. We strongly recommend always running the latest signed version available on the Releases page.
 
 | Version | Supported          |
 | ------- | ------------------ |
@@ -23,24 +42,25 @@ You can report vulnerabilities privately directly through the GitHub repository:
 3. Provide a detailed summary of the vulnerability, including steps to reproduce.
 
 ### 2. Direct Contact
-If you prefer, you can reach out to the author privately via:
+If you prefer, or do not have a GitHub account, you can reach out to the author privately via:
 - 🔗 **LinkedIn**: [Prince Pal](https://www.linkedin.com/in/theprincepal/)
 - 🤖 **Reddit**: [u/PrincePal_](https://www.reddit.com/user/PrincePal_/)
 
 ---
 
 ### What to Include in Your Report
 To help us triage and respond to your report as quickly as possible, please include:
-- A description of the vulnerability and its potential impact.
-- Step-by-step instructions to reproduce the issue (including proof-of-concept code, if possible).
-- The version of DroidTether, macOS, and Android being used.
-- Any relevant logs (e.g., `/var/log/droidtether.log`).
+- A clear description of the vulnerability and its potential systemic impact.
+- Step-by-step instructions to reproduce the issue (including Proof-of-Concept code or malicious RNDIS packet captures, if possible).
+- The exact version of DroidTether, macOS build, and Android device being used.
+- Any relevant crash logs or stack traces (e.g., from `/var/log/droidtether.log` or `/Library/Logs/DiagnosticReports/`).
 
 ### Our Commitment
-- We will acknowledge receipt of your report within **48 hours**.
-- We will keep you informed of our progress as we investigate and work on a fix.
-- We will provide public credit for your discovery (if you wish) once the vulnerability has been resolved.
+- **Response Time**: We will acknowledge the receipt of your report within **48 hours**.
+- **Transparency**: We will keep you informed of our progress as we investigate, patch, and deploy a fix.
+- **Recognition**: We will gladly provide public credit/attribution in our Release Notes and Security Advisories for your discovery (if you wish) once the vulnerability has been patched.
+*(Note: As an open-source hobby project, we currently do not offer financial bug bounties).*
 
 ---
 
-Thank you for helping keep DroidTether and its users safe! 🚀
+Thank you for helping keep DroidTether and our users safe! 🚀

CODE_OF_CONDUCT.md

@@ -0,0 +1,110 @@
+# Contributor Covenant Code of Conduct
+
+## Our Pledge
+
+We as members, contributors, and leaders pledge to make participation in our
+community a harassment-free experience for everyone, regardless of age, body
+size, visible or invisible disability, ethnicity, sex characteristics, gender
+identity and expression, level of experience, education, socio-economic status,
+nationality, personal appearance, race, religion, or sexual identity
+and orientation.
+
+We pledge to act and interact in ways that contribute to an open, welcoming,
+diverse, inclusive, and healthy community.
+
+## Our Standards
+
+Examples of behavior that contributes to a positive environment for our
+community include:
+
+* Demonstrating empathy and kindness toward other people
+* Being respectful of differing opinions, viewpoints, and experiences
+* Giving and gracefully accepting constructive feedback
+* Accepting responsibility and apologizing to those affected by our mistakes,
+  and learning from the experience
+* Focusing on what is best not just for us as individuals, but for the
+  overall community
+
+Examples of unacceptable behavior include:
+
+* The use of sexualized language or imagery, and sexual attention or
+  advances of any kind
+* Trolling, insulting or derogatory comments, and personal or political attacks
+* Public or private harassment
+* Publishing others' private information, such as a physical or email
+  address, without their explicit permission
+* Other conduct which could reasonably be considered inappropriate in a
+  professional setting
+
+## Enforcement Responsibilities
+
+Community leaders are responsible for clarifying and enforcing our standards of
+acceptable behavior and will take appropriate and fair corrective action in
+response to any behavior that they deem inappropriate, threatening, offensive,
+or harmful.
+
+Community leaders have the right and responsibility to remove, edit, or reject
+comments, commits, code, wiki edits, issues, and other contributions that are
+not aligned to this Code of Conduct, and will communicate reasons for moderation
+decisions when appropriate.
+
+## Scope
+
+This Code of Conduct applies within all community spaces, and also applies when
+an individual is officially representing the community in public spaces.
+Examples of representing our community include using an official e-mail address,
+posting via an official social media account, or acting as an appointed
+representative at an online or offline event.
+
+## Enforcement
+
+Instances of abusive, harassing, or otherwise unacceptable behavior may be
+reported to the community leaders responsible for enforcement via direct message to:
+- **LinkedIn**: [Prince Pal](https://www.linkedin.com/in/theprincepal/)
+- **Reddit**: [@PrincePal_](https://www.reddit.com/user/PrincePal_/)
+
+All complaints will be reviewed and investigated promptly and fairly.
+
+All community leaders are obligated to respect the privacy and security of the
+reporter of any incident.
+
+## Enforcement Guidelines
+
+Community leaders will follow these Community Impact Guidelines in determining
+the consequences for any action they deem in violation of this Code of Conduct:
+
+### 1. Correction
+**Community Impact**: Use of inappropriate language or other behavior deemed
+unprofessional or unwelcome in the community.
+**Consequence**: A private, written warning from community leaders, providing
+clarity around the nature of the violation and an explanation of why the
+behavior was inappropriate. A public apology may be requested.
+
+### 2. Warning
+**Community Impact**: A violation through a single incident or series
+of actions.
+**Consequence**: A warning with consequences for continued behavior. No
+interaction with the people involved, including unsolicited interaction with
+those enforcing the Code of Conduct, for a specified period of time.
+
+### 3. Temporary Ban
+**Community Impact**: A serious violation of community standards, including
+sustained inappropriate behavior.
+**Consequence**: A temporary ban from any sort of interaction or public
+communication with the community for a specified period of time.
+
+### 4. Permanent Ban
+**Community Impact**: Demonstrating a pattern of violation of community
+standards, including sustained inappropriate behavior, harassment of an
+individual, or aggression toward or disparagement of classes of individuals.
+**Consequence**: A permanent ban from any sort of public interaction within
+the community.
+
+## Attribution
+
+This Code of Conduct is adapted from the [Contributor Covenant][homepage],
+version 2.1, available at
+[https://www.contributor-covenant.org/version/2/1/code_of_conduct.html][v2.1].
+
+[homepage]: https://www.contributor-covenant.org
+[v2.1]: https://www.contributor-covenant.org/version/2/1/code_of_conduct.html

README.md

@@ -19,14 +19,25 @@ DroidTether is a lightweight userspace daemon that brings high-performance USB t
 
 ---
 
-## 🛡️ Transparency & Privacy
-DroidTether is built on a "local-only" model.
-- 📂 **100% Open Source**: Every line of code is available for audit in this repository.
-- 🚫 **No Telemetry**: No tracking, no analytics, and no "call-home" features. 
-- 🔒 **Local Connectivity**: All networking happens strictly between your Mac and your Android device. No external servers are involved in the packet relay process.
-- 🕵️ **Log Privacy**: Logs reside only on your local machine at `/var/log/droidtether.log` for debugging purposes.
+## 🛡️ Security & Privacy Posture
 
-> 📝 **Audit Note**: The entire core logic of DroidTether is contained in less than **2,000 lines of Go code**, making it exceptionally easy to audit for security and transparency. We believe in simplicity and clear source code as the ultimate form of trust.
+DroidTether is built on a strict **"local-only"** and **"least-privilege"** security model. We understand that system-level network applications require a high degree of trust, which is why we enforce extreme transparency.
+
+### 🚫 Zero Telemetry & Data Sovereignty
+- **No Data Inspection**: DroidTether simply routes encrypted and unencrypted packets between the macOS kernel (`utun`) and the Android USB interface (`libusb`). It **does not** read, inspect, or modify the contents of your web traffic.
+- **No Analytics**: There is absolutely zero telemetry, tracking, or "call-home" functionality built into this daemon.
+- **Local Logs Only**: Operational logs reside strictly on your local machine at `/var/log/droidtether.log` for debugging purposes and are never transmitted anywhere.
+
+### 🔑 Why `sudo` (Root) is Required
+To function without relying on deprecated Kernel Extensions, DroidTether operates natively in userspace but requires elevated OS privileges to bind to the network stack:
+1. **Virtual Interface Creation**: Creating the `utun` network interface requires macOS kernel routing permissions.
+2. **Routing Table Modification**: Injecting routes to prioritize your Android phone's internet connection requires superuser access.
+3. **Hardware USB Binding**: Opening raw protocol communication via `libusb` requires device-level access.
+
+*Note: DroidTether performs these tasks purely in userspace without modifying System Integrity Protection (SIP) or demanding reduced security boot modes.*
+
+### 📂 100% Auditable Core
+The entire core routing logic is written in modern Go and consists of fewer than **2,000 lines of code**. We believe in simplicity and auditable code as the ultimate form of security. Review our [Security Policy](.github/SECURITY.md) for vulnerability reporting.
 
 ---
 
@@ -81,16 +92,6 @@ sudo ./build/droidtether
 
 ---
 
-## 🔑 Why `sudo` is Required?
-Because DroidTether operates at the system network level, it requires elevated privileges for specific operations:
-1. **Network Interface Management**: Creating and configuring the virtual `utun` interface on macOS is a kernel-restricted task.
-2. **Routing Table Injection**: Updating your Mac's routing table to prioritize the phone's internet connection requires superuser permissions.
-3. **Log Management**: Writing operational logs to `/var/log/droidtether.log` for system-wide transparency.
-
-*DroidTether performs these tasks purely in userspace—no persistent kernel extensions are installed.*
-
----
-
 ## 📖 How to Use
 
 1. **Connect** your Android phone to your Mac via a USB-C cable.

TESTING.md

@@ -161,8 +161,8 @@ Use these results as the "Gold Standard" to verify future optimizations or regre
 
 | Device | Network | MAC/Host | OS | Result |
 |--------|---------|----------|----|--------|
-| **Galaxy S24** | **Airtel 5G** | MacBook Air M4 | Android 16 | **290 Mbps / 29ms Ping** |
-| Galaxy A55 | Jio 5G | MacBook Air M4 | Android 16 | 180 Mbps / 35ms Ping |
+| Galaxy S24 | Airtel 5G | MacBook Air M4 | Android 16 | 290 Mbps (DL) / 41 Mbps (UL) |
+| Galaxy A55 | Jio 5G | MacBook Air M4 | Android 16 | 180 Mbps (DL) / 25 Mbps (UL) |
 
 *Tests performed via fast.com and `ping 8.8.8.8`. Zero packet loss verified.*