Project security policy
The MCUboot project uses the TrustedFirmware.org security policy.
Reporting security vulnerabilities
The preferred way to report a security vulnerability with MCUboot is via the “Report a vulnerability” button on the main security page .
You can also email the MCUboot security team at mcuboot-security@lists.trustedfirmware.org as per the TrustedFirmware.org policy. Please include the word “SECURITY” as well as “MCUboot” in the subject of any message.
Disclosure
Any confirmed security vulnerability will be disclosed to Trusted Stakeholders as per the TrustedFirmware.org policy.
A draft advisory and vulnerability fix will be created in MCUboot’s security advisory system on GitHub, with any interested Trusted Stakeholders and the reporter added as viewers.
On the public disclosure date, the security advisory page will be made public, and the public CVE database will be updated with all relevant information.
The release notes of the next MCUboot release will refer to any allocated CVE(s).