Yubico is committed to maintaining the security and privacy of our products, services, and customers. We value the contributions of the security research community and have implemented a Coordinated Vulnerability Disclosure process to handle vulnerability disclosures in a manner that protects the community while encouraging responsible reporting.

If you believe you have found a security vulnerability in any Yubico-owned repository, please do not report security vulnerabilities through public GitHub issues, discussions, or pull requests, instead report it to us as described below.

• Email Us: Send details to [email protected] .
  Include:
  • A description of the issue and steps to reproduce it.
  • Any supporting evidence (e.g., screenshots, proof of concept).
  • Any potential impact and your recommendations for mitigating the risk.
  • Your contact information (optional if you wish to remain anonymous).
• Encrypt Sensitive Data:
  Use our PGP key at Yubico-Security-Team-Public-Key if needed.
• Act Responsibly: We request that you not share information about a potential vulnerability with others until we have had a chance to triage and if needed, provide mitigation to impacted customers.

• Confirmation: We will confirm receipt of the report within 3 business days.
• Triage: We will work with you to validate and resolve the issue.
• Disclosure: We will notify you when the fix is complete and may coordinate public disclosure timelines, if applicable.
• Acknowledgement: If desired, we will acknowledge your contribution as part of the disclosure process.

Yubico will not pursue or support any legal action related to the research and disclosure of vulnerability when those activities follow Yubico’s coordinated vulnerability disclosure policy and process.