MethodicConfigurator

Security Policy

Security Requirements

This section outlines the security measures and requirements that the ArduPilot Methodic Configurator project implements to ensure the security and integrity of our software.

Dependency Management

We maintain secure software supply chains by keeping dependencies up-to-date:

• Dependabot: Automated dependency updates for GitHub ecosystem
• Renovate: Comprehensive dependency management across all package managers
• Regular monitoring and updates of Python packages and system dependencies

Static Code Analysis

We use multiple static analysis tools to identify potential security issues and ensure code quality:

• Ruff: Fast Python linter and code formatter
• MyPy: Static type checker for Python
• Pyright: Microsoft’s Python type checker
• Pylint: Comprehensive Python code analyzer

Automated Security Scanning

Our CI/CD pipeline includes automated security scans:

• GitHub CodeQL: Advanced security vulnerability detection
• Dependency Review: Automated review of dependency changes for security issues
• Anti-virus Scanning: Regular malware detection using ClamAV
• OpenSSF Scorecard: Automated security health metrics

Compliance and Best Practices

We adhere to industry standards and best practices as documented in our Compliance Guide, including:

• Secure coding practices
• License compliance verification
• Regular security audits through Snyk, Codacy, Black Duck and other tools
• Uses gitleaks pre-commit hook to ensure no secrets are leaked
• Implements automated security scanning and vulnerability checks
• Open-source security guidelines

What Users Can Expect

• Secure Dependencies: All dependencies are regularly updated and scanned for vulnerabilities
• Code Quality: Static analysis ensures adherence to security best practices
• Vulnerability Response: Prompt response to reported security issues (see below)
• Transparency: Public disclosure of security processes and findings

Limitations

• Third-party Dependencies: Security depends on the security practices of our dependencies
• User Environment: Security of the end-user environment is outside our control
• Configuration: Improper configuration by users may introduce security risks
• Physical Access: Physical access to devices/flight controllers is not protected by this software

Supported Versions

Only the latest version is supported with security updates.

Reporting a Vulnerability

Select security on the top of the github homepage to report a vulnerability.

If we deem it relevant, we will try to fix it ASAP, or at least reply to you ASAP.

Response Process

Once a vulnerability is reported, we will acknowledge receipt within 3 business days and provide an estimated timeline for review and remediation.

Public Disclosure

We kindly request that you do not publicly disclose the vulnerability until we have had a reasonable opportunity to address it. We aim to resolve vulnerabilities promptly and appreciate your cooperation in maintaining the security of our users.

Responsible Disclosure

We encourage responsible disclosure of security vulnerabilities. Please provide detailed information about the vulnerability, including steps to reproduce it, affected components, and potential impact. This will help us to effectively address the issue.

This site is open source. Improve this page.