Security

Security Communications

Security information about each release is included in the release notes.   You can subscribe to the announce mail list to get notification when a new release comes out.

A summary of the known security vulnerabilities can be  found at: https://docs.zephyrproject.org/latest/security/vulnerabilities.html

Vulnerability notifications pre-release or during embargo periods are available to Product Creators that have registered for these notices here.

Report a Vulnerability

We’re extremely grateful for security researchers and users that report vulnerabilities to the Zephyr Project.  All reports are thoroughly investigated by a set of the security committee volunteers who form the Zephyr Project Security Incident Report Team (Zephyr PSIRT) and may assigned a CVE if appropriate.    The Zephyr project is a listed CVE Numbering Authority with MITRE.

To make a report, please submit your vulnerability to vulnerabilities@zephyrproject.org

More details of how vulnerabilities are handled can be found in our Security Incident Management documentation.

When Should I Report a Vulnerability?

  • You think you discovered a potential security vulnerability in Zephyr
  • You are unsure how a vulnerability affects Zephyr
  • You think you discovered a vulnerability in another project that Zephyr depends on
    • For projects with their own vulnerability reporting and disclosure process, please report it directly there.

When Should I NOT Report a Vulnerability?

Security Vulnerability Response

Each report is acknowledged and analyzed by Zephyr Project Security Incident Response Team members within 7 working days. This will set off the Security Incident Management Process.

Any vulnerability information shared with Product Security Committee stays within Zephyr project and will not be disseminated to other projects unless it is necessary to get the issue fixed.

As the security issue moves from triage, to identified fix, to release planning we will keep the reporter updated.

Public Disclosure Timing

Each report is acknowledged and analyzed by Zephyr Project Security Incident Response Team members within 7 working days. This will set off the Security Incident Management Process.

Any vulnerability information shared with Product Security Committee stays within Zephyr project and will not be disseminated to other projects unless it is necessary to get the issue fixed.

As the security issue moves from triage, to identified fix, to release planning we will keep the reporter updated.

Embargo Policy

The information members receive during embargo periods may be received on vulnerability-alerts@lists.zephyrproject.org. Any information regarding embargoed vulnerabilities must not be made public, shared, nor even hinted at anywhere beyond the need-to-know within your specific team except with the list’s explicit approval. This holds true until the public disclosure date/time that was agreed upon by the list. Members of the list and others may not use the information for anything other than getting the issue fixed for your respective product’s users.

Before any embargoed information from the list is shared with respective members of your team required to fix said issue, they must agree to the same terms and only find out information on a need-to-know basis.

In the unfortunate event a member shares the information beyond what is allowed by this policy, that member must urgently inform the vulnerabilities@zephyrproject.org mailing list of exactly what information leaked and to whom. A retrospective will take place after the leak so we can assess how to not make the same mistake in the future.

If the member continues to leak information and break this policy, the member will be removed from the list.

More details of how vulnerabilities are handled can be found in our Security Incident Management documentation.

Product Creator Notifications

Product creators who are not already members of the Zephyr project may be eligible to participate in the vulnerability-alerts@lists.zephyrproject.org mail list and receive advanced notification of the vulnerabilities and mitigations before public disclosure by applying to participate. For information on the notification process, refer to the Vulnerability Reporting and Alerts section of the Zephyr Project documentation.

Criteria for participation includes:

  1. Have a contact who will respond to emails within a week and understands how Zephyr is being used in the product.
  2. Have a publicly listed product based on some release of Zephyr.
  3. Have an actively monitored security email alias.
  4. Accept the Zephyr Embargo Policy that is outlined above.

Removal: If a member stops adhering to these criteria after joining the list then the member will be unsubscribed.

If you believe your company meets the criteria to be eligible to receive vulnerability alerts  please fill out the form at: Product Creators Vulnerability Alert Registry