| Version | Supported |
|---|---|
| 1.x | ✅ |
| < 1.0 | ❌ |
We take security issues seriously. If you discover a security vulnerability, please report it responsibly.
Please DO NOT file a public GitHub issue for security vulnerabilities.
Instead, please report them through GitHub's private vulnerability reporting system:
- Go to the repository's Security tab
- Click "Report a vulnerability"
- Fill out the vulnerability report form
Alternatively, you can send a detailed email to the maintainers.
Please include as much of the following as possible:
- Description of the vulnerability
- Steps to reproduce the issue
- Potential impact of the vulnerability
- Any suggested fixes (optional)
- Initial Response: We aim to acknowledge reports within 7 days
- Status Update: We will provide a timeline for when we expect to have a fix
- Disclosure: After the vulnerability is fixed, we will publish a security advisory
This security policy applies to:
- LoRaWAN protocol handling and frame validation
- MIC (Message Integrity Code) verification
- Session key (NwkSKey, AppSKey) storage and handling
- Device authentication and session management
- Downlink scheduling and queue management
- Social engineering attacks
- Physical security of hardware devices
- Network-level attacks (DDoS, MITM on upstream connections)
- Issues in third-party dependencies (report to upstream maintainers)
Security updates will be released as patch versions (e.g., 1.0.1) and announced through:
- GitHub Security Advisories
- Release notes
Last updated: 2026-04-17