The Wind River® PSIRT works with customers, authorities, the security community, and our Security Office for Secure Development Lifecyle (SDL) polices and standards that empower our development teams and security champions with processes and procedures to identify and resolve, in a timely manner, supported product security issues — aligned to the FIRST.org PSIRT Services Framework and the ISO/IEC 30111 and 29147 standards.
Wind River PSIRT Policy
Wind River values and supports responsible vulnerability disclosure with confidential reporting of vulnerabilities, timely resolution, and a mutually agreed-to timeline for publication as warranted and when remediation is available.
Reporters must provide adequate detail to describe and reproduce the vulnerability in the Wind River product(s), including:
- CVE number (if applicable)
- Impacted product or component
- Applicability to Wind River delivered product
- Software version
- Description of the vulnerability and its location
- Technical details to reproduce the vulnerability
- Proof-of-concept exploit code if available
- Contact information (for follow-up and recognition)
For confidential reporting of product security vulnerabilities, please use our PGP Public Key to encrypt the message and email PSIRT@windriver.com.
The Wind River PSIRT will acknowledge receipt of reported vulnerabilities and contact the reporter to discuss the resolution plan, according to the severity and impact of the vulnerability. We do not currently support a monetary bug bounty program. However, we do offer public acknowledgement of researchers adhering to this policy. We support the creation of new CVE entries for our products for unique and un-remediated vulnerabilities.
Wind River continuously provides timely resolution and notification of vulnerabilities and remediations for our actively supported products with Security Bulletins and a comprehensive vulnerability database accessible from our Security Center website. Vulnerability support for Legacy products is provided for customers who have a Long-Term Security Shield (LTSS) agreement and end-of-life (EOL) products, which require a specific Professional Services agreement.