How we look after the appliance you put on your network.
Shield is a piece of hardware that sees a lot of your traffic. We treat that responsibility seriously — both in how the device is built, and in how we handle reports when something is wrong.
Reporting a vulnerability
If you believe you've found a security issue in WOMBATS Shield — the appliance, the local web management UI, the update path, or anything bundled with it — please tell us. We'll respond like adults: quickly, privately, and with credit if you want it.
- Email: security@wombatss.com
- PGP: Available on request — please email us first and we'll send a fingerprint.
- Acknowledgement: within 2 business days.
- Triage: within 7 business days.
We will not pursue good-faith researchers who follow this disclosure path. Please give us a reasonable window to investigate before public disclosure.
What's in the appliance
Shield is built on trusted open technology, hardened and tailored into a real appliance. We'd rather tell you what's underneath than pretend we wrote it all from scratch.
Raspberry Pi 5 hardware baseline+
Shield runs on Raspberry Pi 5 silicon (2 GB on Core and Edge, 4 GB on Vault). Real, repairable, well-documented hardware with a long supply life — not a one-batch custom board.
Debian 12 base system+
A long-term-support Linux base with a known security track record and a predictable patch pipeline. We track upstream Debian security where relevant.
AdGuard Home — hardened baseline+
Shield uses AdGuard Home as its DNS-layer filtering engine. We've intentionally restricted, disabled or redesigned features that conflicted with our privacy and security goals — including default query logging behaviour, remote-management exposure, and any ambiguous telemetry. AdGuard provides the engine. Shield's appliance behaviour is ours.
nftables enforcement+
Shield applies local nftables redirect, port-block and forward-chain rules to resist common DNS-bypass paths and Apple Private Relay traffic. Enforcement happens on the device, not on a vendor cloud.
Signed software updates+
Software bundles are signature-verified before they're applied. There is no ad-hoc file replacement, no remotely pushed unsigned change. The update path is the only way new code lands on Shield.
Hardware-assisted unlock+
Shield's encrypted partitions are unlocked at boot through a hardware-assisted key path using an ATECC secure element. The unlock key is bound to the device — it can't be lifted off and used elsewhere. This is the same family of crypto hardware used in premium identity and storage products.
Vault SSD — three independent key paths+
On Shield Vault, the encrypted storage SSD has three separate ways it can be unlocked. (1) An auto-unlock key bound to the device's ATECC secure element, used at boot so the SSD comes up cleanly on your network without prompting. (2) A user passphrase, for user-level access. (3) A recovery key, kept safely off the device for break-glass recovery if both of the above are unavailable. Lift the SSD into another machine and it stays dark — the auto-unlock key is bound to the original Shield.
Separate payload and storage partitions+
On Shield Vault, the encrypted payload partition that runs the system is kept separate from the encrypted storage partition that holds your files. Each is unlocked through its own ATECC-bound key path. A failure or a reset on one does not threaten the other.
Update philosophy
We update Shield deliberately, not constantly. New software lands as a complete, signed bundle that is verified before it's applied. We don't silently push unrelated changes through a back channel, and we don't use the update path to add new telemetry. If we ever need to change what Shield does in a meaningful way, you'll hear about it before the change ships.
What we don't do
- Vendor cloud control plane — we don't have one. Filtering and management stay on Shield.
- Telemetry pipeline — we don't collect browsing history, query logs, or behavioural profiles back to us.
- Remote management backdoor — there is no out-of-band path for us to take over your appliance.
- Required activation — Shield does not need to phone home to keep working.
Looking for the deeper architecture? See the threat model and how it works.