MCUboot project security policy

Reporting Security Issues

The MCUboot team takes security, vulnerabilities, and weaknesses seriously.

Security issues should be sent to the current maintainers of the project:

  • David Brown: or

  • Fabio Utzig:

If you wish to send encrypted email, you may use these PGP keys:

pub   rsa4096 2011-10-14 [SC]
uid           [ultimate] David Brown <>
uid           [ultimate] David Brown <>
sub   rsa4096 2011-10-14 [E]


pub   rsa4096 2017-07-28 [SC]
uid           [ unknown] Fabio Utzig <>
uid           [ unknown] Fabio Utzig <>
sub   rsa4096 2017-07-28 [E]

Please include the word “SECURITY” as well as “MCUboot” in the subject of any messages.

We will make our best effort to respond within a timely manner. Most vulnerabilities found within published code will undergo an embargo of 90 days to allow time fixes to be developed and deployed.

Vulnerability Advisories

Vulnerability reports and published fixes will be reported as follows:

  • Issues will be entered into Github’s Security Advisory system, with the interested parties (including the reporter) added as viewers.

  • The release notes will contain a reference to any allocated CVE(s).

  • When any embargo is lifted, the Security Advisory page will be made public, and the public CVE database will be updated with all relevant information.