Hello world :-) This subject does not touch any ongoing security issues so it can be public and it would be nice to discuss with the whole NuttX community :-)
As we get security reports sometimes, two recent CVEs (already fixed in 12.10.0 and 12.11.0) are sent for review by the Apache Security Team, some reports were not considered a security vulnerability, we were asked by the AST to create a dedicated Security page as each Apache project should have one, so here goes the draft :-) https://github.com/apache/nuttx/pull/17583 This PR is in Draft mode until all ideas / remarks are addressed :-) I have put an extract of the The Apache Security Guide to serve as input for both reporters and handlers. https://www.apache.org/security/ https://www.apache.org/security/committers.html There is a link to the online NuttX related CVEs. I can see that other Apache project also contain offline list of the CVE so I will add them in a free moment so we have complete bundle of information included in one place. Please review and advise on what we do not consider a security vulnerability. We had many reports of fuzzing sysctls for instance, found some sort of protections to impact performance and code size on the tiny MCUs. Thus recommendation that parameters and data validation rests on the custom application/firmware developer shoulders. Any hints are welcome here! Also it seems that we should have dedicated mailing list security@nuttx but we have none yet. Should I create one? This will auto-align with the security@apache tools and workflows, keep sec stuff in one place, etc. Thanks :-) Tomek -- CeDeROM, SQ7MHZ, http://www.tomek.cedro.info
