| Version | Supported |
|---|---|
| 1.x | ✅ Yes |
This project follows a Coordinated Vulnerability Disclosure (CVD) policy in alignment with CRA Article 14.
If you discover a security vulnerability:
- DO NOT open a public GitHub issue
- Email:
security@[your-domain](update with your contact) - Include:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Any suggested mitigations
| Action | Timeframe |
|---|---|
| Acknowledgement | Within 24 hours |
| Initial assessment | Within 7 days |
| Fix or mitigation | Within 90 days |
| Public disclosure | After fix is available |
We request responsible disclosure — please allow us to patch before public disclosure.
This project implements CRA-compliant security controls:
- Mutual TLS authentication for all network communication
- Signed firmware updates (no unsigned code execution)
- Encrypted credential storage (NVS encryption)
- SBOM published with each release
- Vulnerability scanning on every build