Project security policy

The MCUboot project uses the TrustedFirmware.org security policy.

Reporting security vulnerabilities

The preferred way to report a security vulnerability with MCUboot is via the “Report a vulnerability” button on the main security page .

You can also email the MCUboot security team at mcuboot-security@lists.trustedfirmware.org as per the TrustedFirmware.org policy. Please include the word “SECURITY” as well as “MCUboot” in the subject of any message.

Disclosure

Any confirmed security vulnerability will be disclosed to Trusted Stakeholders as per the TrustedFirmware.org policy.

A draft advisory and vulnerability fix will be created in MCUboot’s security advisory system on GitHub, with any interested Trusted Stakeholders and the reporter added as viewers.

On the public disclosure date, the security advisory page will be made public, and the public CVE database will be updated with all relevant information.

The release notes of the next MCUboot release will refer to any allocated CVE(s).