New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Stack Buffer Overflow - Potential Denial of Service #6840
Comments
|
EDIT: See comment by @gebart below. Why should you not make it publicly available? This is an open source project and the issue can't be discussed / solved if no information about it is shared. Feel free to report about it here, in the devel mailing list (https://lists.riot-os.org/mailman/listinfo/devel) or try to contact someone over IRC (#riot-os at irc.freenode.net) |
|
@JeffJerseyCow Right now, I don't think there is a designated software vulnerability team among the developers, but I would suggest that you contact @OlegHahm, @kaspar030, or @emmanuelsearch, directly via email or IRC until we have defined a security issues group, they should be able to direct you to the person most suited to address the vulnerability. @lebrush current industry best practice when it comes to vulnerabilities in open source projects is to contact some core developers or a security team to discuss a solution and apply that solution to the tree before publicly releasing the information about how the exploit is triggered. This is done to avoid having exploits being used in the wild before the developers have had s chance to fix them. https://en.m.wikipedia.org/wiki/Responsible_disclosure |
|
It sounds sensitive and I think makes a lot of sense for systems which are easily updatable. However, it's quite hard for on-the-field embedded devices since a fix may not be even possible, if there's no update possibilities... Newly produced devices could have the issue fixed though... I guess that doing it the way @gebart suggests does not hurt anyone and could benefit [companies with] updatable devices on the field ;-) So between no benefit and some benefit... this is the best solution Maybe we should document this somewhere, define contact people and define a procedure for announcing security issues (i.e. new dedicated mailing). |
|
@gebart Thank you I appreciate it. I've set out on attacking various IoT devices as a preventative measure to future security issues. |
|
security@riot-os.org has been set up and documented in the wiki so I close this issue. Please reopen if I'm mistaken |
I'd like to report a stack buffer overflow bug within RIOT without making it publicly known. I'm still doing some testing at the device level but a bug definitely exists, who is best to discuss with privately?
The text was updated successfully, but these errors were encountered: