This document describes the Vulnerability Disclosure Policy for the rtest package.
The developers of rtest take security seriously. As such, we would like to be informed when a security bug is found so that it can be fixed and disclosed as quickly as possible.
This document outlines what is covered by this policy and how to report security vulnerabilities.
The Vulnerability Disclosure Program described here applies to all code contained in the rtest package, including its usage examples.
The maintainers of rtest may also be able to assist you with reporting vulnerabilities related to ROS 2 in general. If you discover vulnerabilities in the broader ROS 2 ecosystem, please refer to REP-2006 for the official ROS 2 vulnerability disclosure policy.
Please report security vulnerabilities using one of the following methods:
-
GitHub Security Advisories: We recommend using GitHub's built-in Security Advisory feature for reporting vulnerabilities. To do this:
- Navigate to our repository
- Go to the "Security" tab
- Select "Report a vulnerability"
- Fill in the details of the vulnerability
-
Private Communication: If you prefer not to use GitHub's features, you can contact the repository maintainers directly by sending a direct message to the repository owners on GitHub.
Include any plans you may have to disclose details about the vulnerability. In order to protect our users, unless otherwise agreed by both parties, we ask that you not publicly discuss the vulnerability until a fix is published or at least 90 days have passed since the initial report submission. The team handling the report will also follow this timeline.If you do not wish to be acknowledged in the release communications, please indicate so when you submit the vulnerability.
For non-security related bugs, feature requests, or general feedback, please open an issue in our GitHub repository:
When reporting issues through GitHub, please use the provided issue templates when available and include as much detail as possible to help us understand and address your concern.
As an open source project, we strive to address security vulnerabilities as resources permit. Upon receiving your vulnerability report, we will acknowledge receipt and begin evaluation as our volunteer maintainer schedules allow. After evaluating the vulnerability, we will share our assessment of the issue and keep you informed about our progress addressing it. We aim to be transparent about our approach and any challenges that may affect resolution timelines.
For vulnerabilities with potentially widespread impact, we may coordinate with the ROS Security Working Group or other appropriate parties within the open source community. We will notify you when a solution has been implemented. Due to the potentially serious nature of security vulnerabilities, we may handle these issues differently than regular bugs, including possible adjustments to our normal release processes to better protect users.
BEAM and Spyrosoft strongly support security research into rtest software and seek to encourage that research. We will not engage in legal action against individuals who act in good faith to identify, report and fix vulnerabilities in our software, so long as they operate in accordance with any applicable laws or this policy. Research or testing against operating robotic systems without the consent of the owner/operator is in violation of this policy and strongly discouraged due to potential health and human safety concerns.
If at any time you have concerns about whether your activities are consistent with this policy, please contact us through one of the methods described above.
This security policy is based on REP-2006 and is placed in the public domain or under the CC0-1.0-Universal license, whichever is more permissive.
Last updated: May 05, 2025