This security policy covers all 38 applications in the eApps suite, the core libraries (core/common, core/ui, core/storage, core/network, core/platform), platform ports (port/sdl2, port/eos, port/web), and build infrastructure.
| Version | Supported |
|---|---|
| 2.0.x | ✅ Active support |
| < 2.0 | ❌ No support |
Do not open a public issue for security vulnerabilities.
-
Email security@embeddedos.org with:
- Description of the vulnerability
- Affected component(s) (e.g.,
core/network/http.c,apps/essh/) - Steps to reproduce
- Impact assessment (see Severity Classification below)
- Any suggested fix or mitigation
-
Alternatively, use GitHub Security Advisories to privately report the issue.
If you prefer encrypted communication, use the PGP key published at:
https://embeddedos.org/.well-known/pgp-key.asc
Fingerprint: [TO BE PUBLISHED]
| Severity | Description | Example |
|---|---|---|
| Critical | Remote code execution, authentication bypass, memory corruption exploitable over network | Buffer overflow in SSH handshake parser |
| High | Privilege escalation, data exfiltration, denial of service on network services | Unauthenticated VNC session hijack |
| Medium | Information disclosure, local privilege escalation, resource exhaustion | Unvalidated file path in eFiles |
| Low | Minor information leak, UI spoofing, non-exploitable crash | Stack trace exposed in error dialog |
| Action | SLA |
|---|---|
| Acknowledge receipt | 48 hours |
| Initial triage and severity assessment | 5 business days |
| Provide fix timeline | 10 business days |
| Release patch (Critical/High) | 30 days |
| Release patch (Medium/Low) | 90 days |
- We follow coordinated disclosure. We request that reporters give us reasonable time to address vulnerabilities before public disclosure.
- Once a fix is released, we will publish a security advisory on GitHub with full details and credit to the reporter (unless anonymity is requested).
- CVE IDs will be requested for Critical and High severity issues.
The following components handle untrusted input or network data and receive priority security review:
| Component | Risk Area |
|---|---|
apps/essh/ |
SSH protocol, key management, terminal I/O |
apps/evnc/ |
VNC protocol, framebuffer access, authentication |
apps/etunnel/ |
SSH tunneling, SOCKS proxy, port forwarding |
apps/eweb/ |
HTTP/HTML parsing, JavaScript execution, cookies |
apps/eftp/ |
FTP protocol, file system access |
apps/evpn/ |
VPN tunnel, cryptographic operations |
apps/eguard/ |
Firewall rules, packet inspection |
apps/echat/ |
Message transport, encryption |
apps/eserial/ |
Serial protocol, raw data handling |
core/network/ |
HTTP client, socket operations |
core/platform/ |
File I/O, process management, clipboard |
- Static Analysis: cppcheck and clang-tidy run on every PR
- SAST: GitHub CodeQL scans on push/PR to protected branches
- Dependency Monitoring: Dependabot for GitHub Actions and git submodules
- Supply Chain: OSSF Scorecard weekly analysis
- Branch Protection: Required PR reviews, CI pass, and CODEOWNERS review
We gratefully acknowledge security researchers who responsibly disclose vulnerabilities. Contributors will be listed here upon request.
The eApps team takes security seriously. If you discover a security vulnerability, please report it responsibly.
- DO NOT open a public GitHub issue for security vulnerabilities
- Email security findings to: security@embeddedos.org
- Include the following in your report:
- Description of the vulnerability
- Steps to reproduce
- Affected component(s) and version(s)
- Potential impact assessment
- Any suggested fix (optional)
For encrypted communications, use our PGP key:
Fingerprint: [TO BE ADDED]
The full public key is available at: https://embeddedos.org/.well-known/security.txt
| Action | SLA |
|---|---|
| Acknowledgment of report | 48 hours |
| Initial triage and severity assessment | 5 business days |
| Status update to reporter | 10 business days |
| Fix development and testing | Varies by severity |
| Public disclosure (coordinated) | 90 days from report |
| Severity | Description | Examples |
|---|---|---|
| Critical | Remote code execution, complete system compromise | Buffer overflow in network module, arbitrary code execution via crafted input |
| High | Significant data exposure, privilege escalation | Authentication bypass in eSSH, credential leak in eVPN |
| Medium | Limited data exposure, denial of service | Crash via malformed HTTP response, directory traversal in eFiles |
| Low | Minor information disclosure, hardening gaps | Version disclosure, missing security headers |
The following components are in scope for security reports:
core/common/— Types, math, string, date utilities, expression parser, registrycore/ui/— Theme, widgets, canvas, game enginecore/storage/— Preferences (key-value store)core/network/— HTTP client (POSIX, Win32, Web backends)core/platform/— Platform abstraction layer
- High priority: eSSH, eVNC, eTunnel, eVPN, eGuard, eWeb, eFTP, eChat (network-facing)
- Medium priority: eFiles, eZip, ePDF, eViewer (file-handling)
- Standard priority: All remaining apps
port/sdl2/— Desktop display/input driversport/eos/— Embedded EoS driversport/web/— Emscripten/WASM drivers
- Third-party dependencies (report to upstream maintainers)
- The EoS operating system itself (report to embeddedos-org/eos)
- Social engineering attacks
- Static analysis via cppcheck in CI
- Multi-platform build matrix (GCC, MSVC, Clang)
- Unit tests with CTest
- SPDX license identifiers on all source files
- SHA256 checksums on release artifacts
- CodeQL SAST scanning
- Dependabot dependency monitoring
- AddressSanitizer / UBSan in nightly builds
- libFuzzer harnesses for parsers and network modules
- SBOM generation (CycloneDX)
- OSSF Scorecard tracking
We gratefully acknowledge security researchers who help keep eApps safe. Responsible disclosures will be credited in release notes (with reporter's consent).
This security policy is part of the eApps project, licensed under MIT.