# Project security policy

The MCUboot project uses the [TrustedFirmware.org security
policy](https://www.trustedfirmware.org/.well-known/security.txt).

## Reporting security vulnerabilities

The preferred way to report a security vulnerability with MCUboot is via the
"Report a vulnerability" button on the main [security page
](https://github.com/mcu-tools/mcuboot/security).

You can also email the MCUboot security team at
mcuboot-security@lists.trustedfirmware.org as per the TrustedFirmware.org
policy. Please include the word "SECURITY" as well as "MCUboot" in the subject
of any message.

## Disclosure

Any confirmed security vulnerability will be disclosed to Trusted Stakeholders
as per the TrustedFirmware.org policy.

A draft advisory and vulnerability fix will be created in MCUboot's [security
advisory system](https://github.com/mcu-tools/mcuboot/security/advisories) on
GitHub, with any interested Trusted Stakeholders and the reporter added as
viewers.

On the public disclosure date, the security advisory page will be made public,
and the public CVE database will be updated with all relevant information.

The release notes of the next MCUboot release will refer to any allocated
CVE(s).