Vulnerability disclosure policy
IAR Systems® welcomes responsible disclosure of vulnerabilities in any of our products. Security researchers are invited to privately contact us by email with the details of vulnerabilities found.
Please refrain from any wider publication until IAR Systems agrees to wider publication, which may need to wait until a security patch has been successfully rolled out and affected customers protected.
For inquiries on vulnerability topics, please contact us through the email address security-alert@iar.com.
We will endeavor to contact you within a week in response to your email after our vulnerability triage. Please note that we may need to coordinate our vulnerability disclosure with other vendors using our products, so we ask you to be patient - this is for the benefit of all for responsible disclosure.
If you find a vulnerability in one of our products that does result in a security patch, if you desire, we will publicly acknowledge your help in identifying the vulnerability in the Security Advisory and/or on this website.
The products are:
- IAR Embedded Workbench®
- IAR Build Tools™
- IAR Visual State™
- IAR Visual Studio Code extensions
- IAR Embedded Trust®
- IAR Embedded Secure IP™
- Secure Desktop Provisioner™
- Secure Deploy-Prototyping
References
- ISO/IEC 29147:2018 Vulnerability disclosure
- ISO/IEC 30111:2019 Vulnerability handling processes
- Code of Practice for Consumer IoT Security, UK Government: Department for Digital, Culture, Media & Sport
