Report to: security@embeddedos.org

• Do NOT open public issues for vulnerabilities
• Response within 48 hours
• CVE assignment for confirmed issues

• ISO/IEC 20243 — supply chain security
• ISO/IEC/IEEE 15288:2023 — secure development lifecycle
• SPDX license headers on all source files
• CycloneDX SBOM available in ebuild monorepo