We actively support the following versions of Tab5duino-IDF with security updates:
| Version | Supported |
|---|---|
| 1.0.x | ✅ |
| < 1.0 | ❌ |
The Tab5duino-IDF team takes security bugs seriously. We appreciate your efforts to responsibly disclose your findings, and will make every effort to acknowledge your contributions.
Please do not report security vulnerabilities through public GitHub issues.
Instead, please report them via email to: [security@tab5duino.org] (replace with actual email)
If you prefer, you can also use GitHub's private vulnerability reporting feature:
- Go to the repository's Security tab
- Click "Report a vulnerability"
- Fill out the form with detailed information
Please include the following information in your report:
- Type of issue (buffer overflow, injection, etc.)
- Full paths of source file(s) related to the manifestation of the issue
- Location of the affected source code (tag/branch/commit or direct URL)
- Special configuration required to reproduce the issue
- Step-by-step instructions to reproduce the issue
- Proof-of-concept or exploit code (if possible)
- Impact of the issue, including how an attacker might exploit it
This information will help us triage your report more quickly.
- Initial Response: Within 48 hours of receipt
- Status Updates: Every 72 hours until resolution
- Resolution Target: Within 90 days for critical issues, longer for complex issues
- Verification: We verify and assess the security impact
- Fix Development: Develop and test a fix
- Coordinated Disclosure: Work with you on disclosure timeline
- Release: Issue security update and advisory
- Recognition: Credit you in the security advisory (if desired)
Tab5duino-IDF provides several security features:
- Memory Protection: PSRAM-aware memory allocation prevents common buffer overflows
- Error Handling: Comprehensive error checking prevents undefined behavior
- Hardware Abstraction: HAL layer provides validated hardware access
- Component Isolation: Modular architecture limits attack surface
When using Tab5duino-IDF, follow these security best practices:
esp_err_t process_user_input(const char* input, size_t max_len) {
// Always validate input parameters
if (input == NULL || max_len == 0 || max_len > MAX_SAFE_LENGTH) {
return ESP_ERR_INVALID_ARG;
}
// Use secure string functions
char buffer[MAX_SAFE_LENGTH];
strncpy(buffer, input, max_len - 1);
buffer[max_len - 1] = '\0';
return ESP_OK;
}void* secure_malloc(size_t size) {
// Use framework memory allocation
void* ptr = Tab5duino.malloc(size);
if (ptr) {
// Zero initialize sensitive memory
memset(ptr, 0, size);
}
return ptr;
}
void secure_free(void* ptr, size_t size) {
if (ptr) {
// Clear sensitive data before freeing
memset(ptr, 0, size);
Tab5duino.free(ptr);
}
}esp_err_t safe_gpio_access(uint8_t pin, uint8_t value) {
// Validate pin numbers
if (pin >= GPIO_NUM_MAX) {
return ESP_ERR_INVALID_ARG;
}
// Use framework GPIO functions
digitalWrite(pin, value);
return ESP_OK;
}When implementing network functionality:
- Use TLS/SSL for all network communications
- Validate all network input
- Implement proper certificate verification
- Use secure random number generation for cryptographic operations
For over-the-air updates:
- Verify firmware signatures before installation
- Use encrypted update channels
- Implement rollback capability for failed updates
- Validate firmware integrity
Consider physical security implications:
- Debug interfaces can be disabled for production
- Secure boot can be enabled (ESP32-P4 feature)
- Flash encryption available for sensitive data
- Hardware security modules integration possible
- ESP32-P4 RISC-V architecture security features
- Hardware random number generator availability
- Secure storage limitations
- Debug interface exposure
- Memory management relies on ESP-IDF heap implementation
- Some Arduino compatibility functions may have reduced security
- Hardware abstraction may not cover all security-relevant hardware features
Security updates will be released as:
- Critical: Immediate patch release (within 24 hours)
- High: Patch release within 7 days
- Medium: Next minor version release
- Low: Next major version release
Subscribe to security updates through:
- GitHub Security Advisories
- Release notifications
- Security mailing list (if available)
We believe in responsible disclosure and will:
- Work with security researchers to understand and fix issues
- Provide credit to researchers who report issues responsibly
- Coordinate disclosure timing to protect users
- Maintain transparency about security issues and fixes
Security researchers who responsibly disclose vulnerabilities will be:
- Credited in the security advisory (if desired)
- Listed in the project's security contributors
- Notified of fix releases before public disclosure
For security-related questions or concerns:
- Security Team: security@tab5duino.org (replace with actual email)
- General Contact: GitHub Issues (for non-security issues)
If you need to encrypt communications, our public GPG key is available at: [Include GPG key information when available]
Thank you for helping keep Tab5duino-IDF and its users safe!