Skip to the content.

Project security policy

The MCUboot team takes security, vulnerabilities, and weaknesses seriously.

Reporting security issues

The preferred way to report security issues with MCUboot is via the “Report a security vulnerability” button on the main security page.

You can also directly contact the following maintainers of the project:

If you wish to send an encrypted email, you may use these PGP keys:

    pub   rsa4096 2011-10-14 [SC]
    uid           [ultimate] David Brown <>
    uid           [ultimate] David Brown <>
    sub   rsa4096 2011-10-14 [E]


    pub   rsa4096 2017-07-28 [SC]
    uid           [ unknown] Fabio Utzig <>
    uid           [ unknown] Fabio Utzig <>
    sub   rsa4096 2017-07-28 [E]

Please include the word “SECURITY” as well as “MCUboot” in the subject of any message.

We will make our best effort to respond in a timely manner. Most vulnerabilities found within published code will undergo an embargo of 90 days to allow time fixes to be developed and deployed.

Vulnerability advisories

Vulnerability reports and published fixes will be reported as follows: