Vulnerability Disclosure Policy

Reporting Security Vulnerabilities (general)

eCosCentric takes security issues extremely seriously and welcomes feedback from security researchers in order to improve the security of its products and services. We operate a policy of coordinated disclosure for dealing with reports of security vulnerabilities and issues.

To privately report a suspected security issue to us, please send an email to security address sign eCosCentric dot com giving as much detail as you can. We will respond to you as soon as possible. If the suspected security issue is confirmed we will then come back to you with an estimate of how long the issue will take to fix. Once the fix is available (and well tested), we will notify you and recognise your efforts on this page.

Security issues in deployed products/run-time software

If you believe you've found an issue in a product incorporating our real-time embedded software then please also contact the hardware manufacturer directly - as a result of having published a lot of our work as open source, or having supplied software under a self-service evaluation/Non-Commercial license, we may not have a current/direct link with a product's end-manufacturer.

For issues relating to development with eCosPro, engineers should first check for applicable updates on Bugzilla and the eCosPro download portal, using their secure company credentials to login. Please open a support ticket, even if your company's Support and Maintenance agreement has lapsed. All matters raised within the support portal are managed in strict commercial confidence.

Security issues in operational infrastructure

We also welcome reports (to the email address above) of any issues affecting the proper operation of eCosCentric's website, user management, support systems and download portal, as well as community infrastructure that we host - often such issues are transient supplier/hosting problems, but we are grateful for all reports.

Thanks and acknowledgements

eCosCentic wishes to thank the following Security Researchers and host Organisations who have responsibly participated in our coordinated vulnerability disclosure programme on past issues.

Microsoft Security Vulnerability Research (MSVR)
Cybersecurity and Infrastructure Security Agency (CISA)