espressif / ESP8266_NONOS_SDK

ESP8266 nonOS SDK
Other
931 stars 535 forks source link

[Vulnerability] found - Question #237

Closed Matheus-Garbelini closed 5 years ago

Matheus-Garbelini commented 5 years ago

Hello,

I've found a 802.11 DoS Vulnerability and was wondering what is the correct procedure to follow (as I'm not sure if this would fit as a new CVE). Would I need to report everything in detail here or directly to Espressif site?(https://www.espressif.com/en/company/contact-extra/technical-inquiries-software)

The issue in question appears to affect all esp8266 using NONOS SDK up to the latest version as in this repository. This also includes the current SDK version used in the esp8266 arduino branch.

I've seen there's the email bugbounty@espressif.com Would still be OK to report this to espressif so they can validate it? (Not interested in the bounty as the esp8266 program has ended)

Ivyares commented 5 years ago

The best way is to test whether the ESP32 has the same issue. :P If it is, then maybe you can win the bug bounty of ESP32? Not sure if it is a "security" issue.. Anyway, I think you can try the email bugbounty@espressif.com.

Matheus-Garbelini commented 5 years ago

@Ivyares Thank you, I'm not sure about ESP32 yet, but I'm doing tests with it. Rarely it crashes and as I can't manually reproduce the crash, I'm not even sure if its my code or not.

For ESP8266, I'll send espressif an email providing the results and the test code this week so they can reproduce it. I dought they will ignore this problem as the development of this SDK still seems to be going.

@xcguang I've sent a technical email to bugbounty@espressif.com following the provided template, please let me know if it was acknowledged. Thank you.