Security Guidelines

All security bugs reported will be silently fixed in master and backported to the previous release.

When CVE numbers are assigned to RIOT vulnerabilities, they are associated with CPE identifiers in the shape of cpe:2.3:o:riot-os:riot:<VERSION>.

Reporting a Vulnerability

If a security issue is discovered, please report it to security@riot-os.org. A response will be provided within one week. The issue will be tracked in the security mailing list. The original reporter will be included in the discussion of the issue. You can encrypt your report using gpg key id 44C6AE441172F88D3423E81F5F7964D0F4239033, also included at the bottom of this file.

Classification of a vulnerability

Unless the reporter explicitly requests not to do so, the RIOT security maintainers may declassify an issue if the issue is not deemed critical — for example when it requires an unlikely combination of circumstances and/or configuration options, or when it can only be exploited by a user who gains no additional privileges.

Notification of a Vulnerability

After a fix is provided the security issue will be privately disclosed to the original reporter, RIOT security maintainers, and “Trusted RIOT Users”. A public announcement of the security fix will be made two weeks after the point release, though this may vary depending on the severity and ability of trusted RIOT users to provide the fix.

Trusted RIOT Users

To access the “Trusted RIOT Users” notifications on the RIOT forum please send information on the RIOT based service or product as well as your forum username to the security mailing list. Early notification of security bugs will be available and should not be shared publicly. If done, it will result in access removal from the “Trusted RIOT Users” notifications.

RIOT community GPG key