Reporting a vulnerability

contiki-ng / tinydtls

A version of tinyDTLS that is refactored to be more easy to use "standalone" (e.g. without bindings to a specific IP-stack).

Other

8 stars 25 forks source link

Reporting a vulnerability #31

Closed NErinola closed 2 years ago

NErinola commented 2 years ago

How can we report a discovered security vulnerability? The security policy on GitHub is empty, so we do not have a contact to report a security vulnerability.

Best regards, Nurullah Erinola

boaks commented 2 years ago

Just to mention: If the vulnerability is about tinydtls, the development is done in the eclipse/tinydtls repository. Check there for the "develop" branch. If you find a vulnerability also there, please follow the guidance in www.eclipse.org - security.

Before you report such a vulnerability, please check, if it is already pending:

reported vulnerabilities

reported issues

(Not all bugs are vulnerabilities, especially issue in demo-apps are hardly a real vulnerability.)

NErinola commented 2 years ago

Thanks for the quick response.

Our finding is fixed in the develop branch of eclipse/tinydtls with #115. Therefore we refrain from taking any further steps.

boaks commented 2 years ago

If you currently develop with contiki-ng, maybe you can check, if update tinydtls to the current develop works with it as well.

See Update/test tinydtls to Eclipse/Tinydtls branch "develop".