From 73cc726d483b4493ada2bb219468a7b30a676a66 Mon Sep 17 00:00:00 2001 From: Mark Atwood Date: Fri, 29 May 2026 10:42:56 -0700 Subject: [PATCH 1/2] docs: add org-level security policy Add SECURITY.md pointing to the canonical vulnerability disclosure policy at wolfssl.com. This gives every wolfSSL repo without its own SECURITY.md a Security tab on GitHub. --- SECURITY.md | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) create mode 100644 SECURITY.md diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 0000000..c6916ec --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,21 @@ +# wolfSSL Security Policy + +## Reporting a Vulnerability + +Report security vulnerabilities to **support@wolfssl.com** or call **+1-425-245-8247**. + +Reports may be encrypted with our PGP key: + + Fingerprint: A2A4 8E7B CB96 C5BE CB98 7314 EBC8 0E41 5CA2 9677 + Key server: keys.openpgp.org + +## Full Policy + +Our coordinated vulnerability disclosure policy — including scope, threat-model +boundaries, response commitments, and EU Cyber Resilience Act obligations — is +published at: + + https://www.wolfssl.com/.well-known/vulnerability-disclosure-policy.txt + +This policy covers wolfSSL, wolfCrypt, wolfBoot, wolfSSH, wolfMQTT, wolfTPM, +wolfGuard, wolfCOSE, and other wolfSSL products. From b6b02f56290f3e10ef9373b378f5a28b4faffd44 Mon Sep 17 00:00:00 2001 From: Mark Atwood Date: Mon, 1 Jun 2026 17:59:22 -0700 Subject: [PATCH 2/2] docs: use canonical secure@wolfssl.com for security reports Per Chris Conlon, secure@ is the existing alias for inbound security reports. support@ is the general support inbox. Aligns with the canonical /.well-known/security.txt and vulnerability-disclosure-policy.txt. --- SECURITY.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/SECURITY.md b/SECURITY.md index c6916ec..d8edf77 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -2,7 +2,7 @@ ## Reporting a Vulnerability -Report security vulnerabilities to **support@wolfssl.com** or call **+1-425-245-8247**. +Report security vulnerabilities to **secure@wolfssl.com** or call **+1-425-245-8247**. Reports may be encrypted with our PGP key: