As a proud member of the open source community, eProsima takes the security of its software very seriously. As such, we would like to be informed when a security bug is found so that it can be fixed and disclosed as quickly as possible. The rest of the document outlines what is covered by this policy and how to report security vulnerabilities.
The Vulnerability Disclosure Program outlined here covers all code within our publicly available products. An increasing number of companies are using our DDS based solutions, and during this growth period we anticipate vulnerabilities to be identified in products before vendors have an established vulnerability reporting program. We will work with you on a best-effort basis to help connect you with responsible parties best suited to address your concerns.
eProsima strongly supports security research into its software and seeks to encourage that research. eProsima will not engage in legal action against individuals who act in good faith to identify, report and fix vulnerabilities in our products, so long as they operate in accordance with any applicable laws or this policy. Research or testing against DDS systems without the consent of the owner/operator is in violation of this policy and strongly discouraged due to potential health and human safety concerns.
If at any time you have concerns about whether your activities are consistent with this policy, please contact us at support@eprosima.com.
Please submit vulnerability reports by emailing support@eprosima.com, preferably in English. We kindly ask you to encrypt your report using the PGP public key vulnerability-public.key contained in this repository. The more information provided about the bug, the easier it will be to fix. If you already have a fix, please include it with your report. From there, we may setup a secure channel to discuss sensitive details about the vulnerability which may include proof-of-concept code, an impact assessment, recommended remediation steps or other information that will help us find and fix the problem.
Include any plans you may have to disclose details about the vulnerability. In order to protect our users, unless otherwise agreed by both parties, we ask that you not publicly discuss the vulnerability until a fix is published or at least 90 days have passed since the initial report submission. The group handling the report will also follow this timeline. If you do not wish to be acknowledged in the release communications please indicate so when you submit the vulnerability.
Expect a timely response to your notification, normally within two business days, during which time we will triage your vulnerability report.
After we have evaluated the vulnerability we will send you our risk assessment and, where applicable, the anticipated time to publish an update. We will aim at being as transparent as possible about timelines and any issues or challenges which may impact the scheduled fix.
We will notify you when a pull request has been submitted and approved which remediates the vulnerability. Because security vulnerabilities can have severe consequences, they differ from other bugs and at our discretion. In order to protect our users we may modify our normal code release processes for publishing open source code updates.