scottp
95bc2ae9fe
CONTRIBUTING.md: remove the deleted wii5_modes sketch from the testing
guidance; mention the surviving test/ subsystem sketches instead.
README.md: drop the now-incorrect "hardware schematics" entry from the
repository-layout block (doc/hardware/ was removed earlier). Add a
Repository section naming the Gitea canonical and the GitHub mirror
(https://github.com/SH3D/WII5Firmware) used for community issues and PRs.
SECURITY.md, CODE_OF_CONDUCT.md: point at the GitHub mirror for security
advisories; drop the vague "private GitHub message" path from the CoC.
CHANGELOG: replace the "TODO" placeholder with a real v5.5.1 initial
public release entry.
Doxyfile: rewrite the PROJECT_NUMBER injection example to use
`git describe` instead of the deleted VERSION file.
VERSION: removed. It was bumped by tools/tag_version.sh +
tools/build_version.sh (both deleted in c89c636); build_local.sh injects
WII5_SOFTWARE_VERSION from `git log -1 --pretty=%h` at compile time, so
nothing load-bearing depends on the file.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
48 lines
1.7 KiB
Markdown
48 lines
1.7 KiB
Markdown
# Security Policy
|
|
|
|
## Reporting a vulnerability
|
|
|
|
If you discover a security issue in the WII5 Buoy firmware — for example,
|
|
a flaw in the Iridium SBD command-handling path, an authentication bypass
|
|
in the console protocol, or anything else that could let an attacker take
|
|
control of a deployed buoy — **please do not open a public GitHub issue**.
|
|
|
|
Instead, report it privately:
|
|
|
|
- Open a private security advisory via the GitHub mirror's **Security**
|
|
tab → "Report a vulnerability":
|
|
https://github.com/SH3D/WII5Firmware/security/advisories/new
|
|
- Or email the maintainer: Scott Penrose <scottp@dd.com.au>
|
|
|
|
Please include:
|
|
|
|
- A description of the issue and its potential impact
|
|
- Steps to reproduce, or a proof-of-concept
|
|
- The affected firmware version (`WII5_SOFTWARE_VERSION`) and hardware
|
|
variant if known
|
|
|
|
We will acknowledge receipt within a reasonable time, work with you on a
|
|
fix, and coordinate disclosure.
|
|
|
|
## What this project asks of contributors
|
|
|
|
When opening issues or pull requests, **please do not include**:
|
|
|
|
- Internal hostnames, IP addresses, or network paths from operational
|
|
deployments
|
|
- Iridium IMEIs, modem serial numbers, or device identifiers from real
|
|
deployments
|
|
- GPS coordinates of operational deployment sites
|
|
- Other contributors' personal information (emails, real names, paths) —
|
|
unless they have given explicit permission
|
|
|
|
If you need example values to demonstrate a problem, use obviously-fake
|
|
placeholders (e.g. `192.0.2.1` from RFC 5737, IMEI `300000000000000`,
|
|
generic lat/lng like `0,0`).
|
|
|
|
## Supported versions
|
|
|
|
Only the latest tagged release on `main` is actively supported. Older
|
|
deployed firmware may continue to function in the field but does not
|
|
receive backported fixes.
|