# Security Policy

## Reporting a vulnerability

If you discover a security issue in the WII5 Buoy firmware — for example,
a flaw in the Iridium SBD command-handling path, an authentication bypass
in the console protocol, or anything else that could let an attacker take
control of a deployed buoy — **please do not open a public GitHub issue**.

Instead, report it privately:

- Open a private security advisory via the GitHub mirror's **Security**
  tab → "Report a vulnerability":
  https://github.com/SH3D/WII5Firmware/security/advisories/new
- Or email the maintainer: Scott Penrose <scottp@dd.com.au>

Please include:

- A description of the issue and its potential impact
- Steps to reproduce, or a proof-of-concept
- The affected firmware version (`WII5_SOFTWARE_VERSION`) and hardware
  variant if known

We will acknowledge receipt within a reasonable time, work with you on a
fix, and coordinate disclosure.

## What this project asks of contributors

When opening issues or pull requests, **please do not include**:

- Internal hostnames, IP addresses, or network paths from operational
  deployments
- Iridium IMEIs, modem serial numbers, or device identifiers from real
  deployments
- GPS coordinates of operational deployment sites
- Other contributors' personal information (emails, real names, paths) —
  unless they have given explicit permission

If you need example values to demonstrate a problem, use obviously-fake
placeholders (e.g. `192.0.2.1` from RFC 5737, IMEI `300000000000000`,
generic lat/lng like `0,0`).

## Supported versions

Only the latest tagged release on `main` is actively supported. Older
deployed firmware may continue to function in the field but does not
receive backported fixes.