Handling of security vulnerabilities

The U-Boot project takes security very seriously. As such, we’d like to know when a security bug is found so that it can be fixed and disclosed as quickly as possible.


The preferred initial point of contact is to send email to u-boot@lists.denx.de and use scripts/get_maintainers.pl to also include any relevant custodians. In addition, Tom Rini should be contacted at trini@konsulko.com.

CVE assignment

The U-Boot project cannot directly assign CVEs, nor do we require them for reports or fixes, as this can needlessly complicate the process and may delay the bug handling. If a reporter wishes to have a CVE identifier assigned ahead of public disclosure, they will need to coordinate this on their own. When such a CVE identifier is known before a patch is provided, it is desirable to mention it in the commit message if the reporter agrees.

Non-disclosure agreements

The U-Boot project is not a formal body and therefore unable to enter any non-disclosure agreements.