New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Responsible disclosure policy #1960
Comments
|
Sorry, we don't want to imply that security is a primary concern. We can't offer the assurances or the handling. |
|
To any user of rtl_433 reading this, please note: We aim to make rtl_433 safe to use, but it should not be assumed secure. The output is literally pulled from thin air, it's not to be trusted. If you feed downstream system with data make sure edge cases are checked and handled. Network inputs and outputs are for use in a trusted local network, will contain unfiltered data, and might overload the recipient (know that e.g. the MQTT output can be controlled by anyone with a radio sender). |
|
@JamieSlome just open an issue and we will attend to it accordingly. But as @zuckschwerdt says this tool should mainly be used as a rf to network bridge. And the use of the data is mainly for visualization purposes. The parsing code handles >100 different protocols, it is very likely that someone can craft a specific radio transmission to that triggers unwanted behavior. |
|
@merbanan @zuckschwerdt - thanks for the response, both! It is unlikely that the reports are consequential given your initial comments here, but both can be read here: https://huntr.dev/bounties/6c9cd35f-a206-4fdf-b6d1-fcd50926c2d9/ |
|
The issues are valid and will be fixed. |
|
@merbanan - thanks, appreciate your time and effort here! If possible, could you approve and confirm fixes against both reports, so that the researcher gets rewarded for their efforts? |
Hey there!
I belong to an open source security research community, and a member (@aug5t7) has found an issue, but doesn’t know the best way to disclose it.
If not a hassle, might you kindly add a
SECURITY.mdfile with an email, or another contact method? GitHub recommends this best practice to ensure security issues are responsibly disclosed, and it would serve as a simple instruction for security researchers in the future.Thank you for your consideration, and I look forward to hearing from you!
(cc @huntr-helper)
The text was updated successfully, but these errors were encountered: