Sh3d/WII5Firmware
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
295abb37ee20175c23aad0969cf94b74e91e5f4c
WII5Firmware/SECURITY.md
T
scottp 295abb37ee Initial public release of WII5 Buoy firmware 
Firmware for an autonomous wave-measurement buoy (ATmega2560-based
WII5 v2 board). Reads wave motion from a Sparton AHRS-M1/M2 IMU,
samples GPS and battery state, and reports back over Iridium SBD
satellite telemetry. Originally developed 2012-2024.

This is the first public release. Code, documentation, and field-tested
operating modes (Capture, Sleep, Position, ManualTest, SelfTest,
LowBattery) are licensed under Apache 2.0 — see LICENSE and NOTICE.

See README.md for an overview and build instructions, CONTRIBUTING.md
for how to contribute, and DEPLOYMENTS.md for the field-deployment log.
2026-05-07 16:27:18 +10:00

47 lines
1.6 KiB
Markdown
Raw Blame History

# Security Policy
## Reporting a vulnerability
If you discover a security issue in the WII5 Buoy firmware — for example,
a flaw in the Iridium SBD command-handling path, an authentication bypass
in the console protocol, or anything else that could let an attacker take
control of a deployed buoy — **please do not open a public GitHub issue**.
Instead, report it privately:
- Open a private security advisory via the GitHub repository's
**Security** tab → "Report a vulnerability", or
- Email the maintainer: Scott Penrose <scottp@dd.com.au>
Please include:
- A description of the issue and its potential impact
- Steps to reproduce, or a proof-of-concept
- The affected firmware version (`WII5_SOFTWARE_VERSION`) and hardware
variant if known
We will acknowledge receipt within a reasonable time, work with you on a
fix, and coordinate disclosure.
## What this project asks of contributors
When opening issues or pull requests, **please do not include**:
- Internal hostnames, IP addresses, or network paths from operational
deployments
- Iridium IMEIs, modem serial numbers, or device identifiers from real
deployments
- GPS coordinates of operational deployment sites
- Other contributors' personal information (emails, real names, paths) —
unless they have given explicit permission
If you need example values to demonstrate a problem, use obviously-fake
placeholders (e.g. `192.0.2.1` from RFC 5737, IMEI `300000000000000`,
generic lat/lng like `0,0`).
## Supported versions
Only the latest tagged release on `main` is actively supported. Older
deployed firmware may continue to function in the field but does not
receive backported fixes.
Reference in New Issue View Git Blame Copy Permalink