The Tock team takes security vulnerabilities seriously. We appreciate your efforts to responsibly disclose your findings and will make every effort to acknowledge your contributions.

Please report all security vulnerabilities by emailing security@lists.tockos.org.

Include the following information in your report:

• Description of the vulnerability.
• Steps to reproduce the issue.
• Potential impact of the vulnerability.
• Any potential mitigations you've identified.
• Version of Tock affected.

After submitting a vulnerability report, expect the following response process:

1. Acknowledgment: Receipt acknowledged within 5 days.

• If you have not received a confirmation within 5 days, please send a separate email without sensitive information to core@lists.tockos.org to alert the Core Team that there is a pending, unacknowledged security issue.

2. Verification: Our security team verifies the issue and may request additional information.
3. Resolution Timeline: Severity-based resolution timeline established; you will be kept informed.
4. Public Disclosure: Coordinated disclosure timing after addressing the vulnerability.

• A reasonable embargo period is typically requested.

Our process includes:

1. Validating and assessing severity.
2. Assigning to appropriate subsystem maintainer.
3. Developing and testing a fix.
4. Releasing a patched version.
5. Issuing a security advisory (if applicable).
6. Publicly acknowledging the reporter (unless anonymity requested).

Security advisories for Tock are published:

• On our GitHub repository as Security Advisories.
• Via the public Tock security-announce mailing list.

At this time, Tock does not offer a bug bounty program.