The Uptane community is committed to maintaining a reliable and consistent Standard. If you believe you have identified errata—including security issues—in the Uptane Standard, please follow these guidelines for responsible disclosure.

We release updates to the Uptane specification to address errata. You may report errata for the most recent version of the Uptane Standard. We will not retroactively make changes to older versions.

Please report (suspected) errata in the specification. You can create an issue in the appropriate repository or send feedback directly to our mailing list at uptane-standards [at] googlegroups [dot] com.

We're committed to working with security researchers to resolve errata they discover. You can help us by following these guidelines:

• Please give as much detail as possible for a suspected errata in Uptane including:
  • Version in which it was found
  • Description of errata
  • Examples (if applicable)
• We are committed to acknowledging the contributions of security researchers (if desired)
• If you have found a vulnerability related to a certain vendor's implementation of the Uptane standard, please report it directly to that solution provider