This page describes Zephyr project’s security and disclosure information.

Security information about each release is included in the release notes.   You can subscribe to the announce mail list to get notification when a new release comes out. 

A summary of the known security vulnerabilities can be  found at:

Vulnerability notifications pre-release or during embargo periods are available to Product Creators that have registered for these notices here.

We’re extremely grateful for security researchers and users that report vulnerabilities to the Zephyr Project.  All reports are thoroughly investigated by a set of the security committee volunteers who form the Zephyr Project Security Incident Report Team (Zephyr PSIRT) and may assigned a CVE if appropriate.    The Zephyr project is a listed CVE Numbering Authority with MITRE.

To make a report, please submit your vulnerability to  

More details of how vulnerabilities are handled can be found in our Security Incident Management documentation.

  • You think you discovered a potential security vulnerability in Zephyr
  • You are unsure how a vulnerability affects Zephyr
  • You think you discovered a vulnerability in another project that Zephyr depends on
    • For projects with their own vulnerability reporting and disclosure process, please report it directly there.

Each report is acknowledged and analyzed by Zephyr Project Security Incident Response Team members within 7 working days. This will set off the Security Incident Management Process.

Any vulnerability information shared with Product Security Committee stays within Zephyr project and will not be disseminated to other projects unless it is necessary to get the issue fixed.

As the security issue moves from triage, to identified fix, to release planning we will keep the reporter updated.

A public disclosure date is negotiated by the Zephyr PSIRT and the bug submitter. 

Time preceding the disclosure will be used to implement, test and release fixes. Disclosure may be further delayed to the end of an embargo period to allow Product Creators registered for vulnerability alerts to deploy mitigation and/or fixes.

The timeframe for disclosure is from immediate (especially if it’s already publicly known) to 90 days, so that product creators can evaluate mitigations.  

The Zephyr PSIRT holds the final say when setting a disclosure date.

The information members receive during embargo periods may be received on Any information regarding embargoed vulnerabilities must not be made public, shared, nor even hinted at anywhere beyond the need-to-know within your specific team except with the list’s explicit approval. This holds true until the public disclosure date/time that was agreed upon by the list. Members of the list and others may not use the information for anything other than getting the issue fixed for your respective product’s users.

Before any embargoed information from the list is shared with respective members of your team required to fix said issue, they must agree to the same terms and only find out information on a need-to-know basis.

In the unfortunate event a member shares the information beyond what is allowed by this policy, that member must urgently inform the mailing list of exactly what information leaked and to whom. A retrospective will take place after the leak so we can assess how to not make the same mistake in the future.

If the member continues to leak information and break this policy, the member will be removed from the list.

More details of how vulnerabilities are handled can be found in our Security Incident Management documentation.

Product creators who are not already members of the Zephyr project may be eligible to participate in the mail list and receive advanced notification of the vulnerabilities and mitigations before public disclosure by applying to participate. For information on the notification process, refer to the Vulnerability Reporting and Alerts section of the Zephyr Project documentation.

Criteria for participation includes:

  1. Have a contact who will respond to emails within a week and understands how Zephyr is being used in the product.
  2. Have a publicly listed product based on some release of Zephyr.
  3. Have an actively monitored security email alias.
  4. Accept the Zephyr Embargo Policy that is outlined above.

Removal: If a member stops adhering to these criteria after joining the list then the member will be unsubscribed.     

If you believe your company meets the criteria to be eligible to receive vulnerability alerts  please fill out the form at: Product Creators Vulnerability Alert Registry