Please report security vulnerabilities by opening a private security advisory on GitHub or contacting the maintainer directly.

Bastion uses privilege separation:

• Daemon: Runs as root for packet interception
• GUI: Runs as unprivileged user for display

Communication between components uses a Unix domain socket with restricted permissions.

The project uses eBPF (via BCC) for process identification. Ensure your kernel supports eBPF and that BCC is installed from trusted repositories.