| Version | Supported |
|---|---|
| 1.0.x | ✅ |
If you discover a security vulnerability in this project, please report it responsibly. Do not open a public GitHub issue.
Email: daniel.turull@ericsson.com
Include:
- Description of the vulnerability
- Steps to reproduce
- Affected version(s)
- Potential impact
- Acknowledgment within 5 business days
- Status update within 15 business days
- We will coordinate disclosure timing with you
This policy covers the yocto-security-tools repository. Vulnerabilities in
upstream dependencies (requests, packaging) should be reported to their
respective maintainers.
Plugins loaded from extra/ or via CVE_EXTRA_SOURCES_DIR execute with full
process privileges. See extra/README.md for the security
model. We do not accept vulnerability reports for malicious plugins that a user
explicitly installed.