The MCUboot project is primarily a secure bootloader, and as such, the project takes security seriously. No technology is perfect, and the project believes that working with skilled security researchers across the globe is crucial in identifying weaknesses in any technology. If you believe you've found a security issue in our product or service, we encourage you to notify us. We welcome working with you to resolve the issue promptly.

The primary focus of MCUboot is the source code for the project. Due to the large number of scripted and false reports against the website, the project will consider other reports out of scope. Real reports against the website, email configuration of the domain or the project as a whole are appreciated, but will need to be made by participating in the project, and not through Hackerone.

There are several aspects of the project where security may be a concern, which will receive different levels of importance.

• The bootloader itself: Security issues in the bootloader code will generally directly affect the security of devices secured using MCUboot. As such, these issues will receive the highest priority. Issues here can concern the code itself, its integration with various real-time operating systems (RTOSes) or software development kits (SDKs), to more subtle issues, such as the use of cryptography in validating the images, or how images are manipulated in flash.
• Infrastructure around producing images: MCUboot uses various tools to produce signed firmware images, such as imgtool.py and newt. Security issues in these tools can affect the security of the bootloader. The project wishes to know about these issues, even if the tool in question may be external to the project, and we will work as necessary, with external groups to see these issues resolved.
• Testing and CI: MCUboot contains a simulator for testing, and a suite of tests of the bootloader's functionality. Security issues in these tools may or may not directly affect the security of the bootloader itself, however even if not, security will be taken seriously, albeit at lower priority.
• Project websites and web-based tooling: Security issues found within the web-based tooling used to support the issue can affect the security of the bootloader, sometimes in surprising ways (such as a malicious party being able to modify the code). Issues of this nature will also be considered by the project. The Core Infrastructure Initiative has much useful information about this. Keep in mind that most of MCUboot is hosted by 3rd party apps, such as Github. Vulnerabilities found in Github itself should be reported to them and will be considered out of scope for MCUboot, unless there is something specific to MCUboot that can be fixed. Note that these are considered out of scope on Hacker one and will be immediately rejected.
• The mcuboot.com domain. This domain hosts a simple set of static webpages with project information. There are no accounts, no authentication, and no email is generated for this domain. Reports such as cross-site vulnerabilities will be considered out of scope.

Disclosure Policy

• Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.
• Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party.
• Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.

Exclusions

While researching, we'd like to ask you to refrain from:

• Denial of service
• Spamming
• Social engineering (including phishing) of MCUboot project staff or contractors

Safe Harbor

Any activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.

Thank you for helping keep the MCUboot project and our users safe!