wolfSSL Coordinated Vulnerability Disclosure Policy

Effective: 2026-06-01
Canonical URL: https://www.wolfssl.com/.well-known/vulnerability-disclosure-policy.txt

1. Scope

This policy covers security vulnerabilities in wolfSSL products distributed
under commercial license or open source, including but not limited to:

  - wolfSSL / wolfCrypt
  - wolfBoot
  - wolfSSH
  - wolfMQTT
  - wolfTPM
  - wolfGuard
  - wolfCOSE

2. Reporting

Report vulnerabilities to: security@wolfssl.com
Phone: +1-425-245-8247
Encryption: Reports may be encrypted with our PGP key (see below).

Please include:
  - Product name and version
  - Description of the vulnerability
  - Steps to reproduce or proof of concept
  - Your assessment of impact and severity

We require a working proof of concept or concrete reproduction steps that
demonstrate real impact. Reports that describe only theoretical weaknesses,
scanner output without validation, or bulk-generated findings without
evidence of manual analysis will be closed without review. If you used
automated tooling, state what you used and show the work you did to confirm
the finding is real.

3. What to expect

We will acknowledge receipt without undue delay and keep you informed of
our progress toward a fix. We coordinate disclosure timing with reporters
whenever possible and credit researchers in our advisories unless they
prefer otherwise.

We follow these principles:
  - We do not pursue legal action against good-faith security researchers.
  - We ask reporters to allow us reasonable time to develop and distribute
    a fix before public disclosure.
  - We publish advisories and request CVE IDs for confirmed vulnerabilities.

4. Our obligations under the EU Cyber Resilience Act

wolfSSL is a manufacturer under the EU Cyber Resilience Act (Regulation
2024/2847). We report actively exploited vulnerabilities to ENISA in
accordance with Article 14. We provide security updates for the supported
lifetime of each product and document known vulnerabilities in our
published advisories at:

  https://www.wolfssl.com/docs/security-vulnerabilities/

5. PGP key

Reports may be encrypted to the wolfSSL security key:

  Fingerprint: A2A4 8E7B CB96 C5BE CB98 7314 EBC8 0E41 5CA2 9677
  Key server: keys.openpgp.org

6. Contact

General inquiries: facts@wolfssl.com
Security reports: security@wolfssl.com
Phone: +1-425-245-8247
Web: https://www.wolfssl.com/