Project security policy

The MCUboot team takes security, vulnerabilities, and weaknesses seriously.

Reporting security issues

You should report security issues either using our page at [Hackerone] (https://hackerone.com/mcuboot?type=team) or contacting directly the current maintainers of the project:

  • David Brown: davidb@davidb.org or david.brown@linaro.org

  • Fabio Utzig: utzig@apache.org

If you wish to send an encrypted email, you may use these PGP keys:

    pub   rsa4096 2011-10-14 [SC]
          DAFD760825AE2636AEA9CB19E6BA9F5C5E54DF82
    uid           [ultimate] David Brown <davidb@davidb.org>
    uid           [ultimate] David Brown <david.brown@linaro.org>
    sub   rsa4096 2011-10-14 [E]

and

    pub   rsa4096 2017-07-28 [SC]
          126087C7E725625BC7E89CC7537097EDFD4A7339
    uid           [ unknown] Fabio Utzig <utzig@apache.org>
    uid           [ unknown] Fabio Utzig <utzig@utzig.org>
    sub   rsa4096 2017-07-28 [E]

Please include the word “SECURITY” as well as “MCUboot” in the subject of any message.

We will make our best effort to respond in a timely manner. Most vulnerabilities found within published code will undergo an embargo of 90 days to allow time fixes to be developed and deployed.

Vulnerability advisories

Vulnerability reports and published fixes will be reported as follows:

  • Issues will be entered into MCUboot’s security advisory system on GitHub, with the interested parties (including the reporter) added as viewers.

  • The release notes will contain a reference to any allocated CVE(s).

  • When the embargo is lifted, the security advisory page will be made public, and the public CVE database will be updated with all relevant information.