Security Research and Firmware

  • I'm a security researcher who has submitted several bugs for resolution in the past. You guys have been great about getting firmware updates issued but each time a new release is made available I have to submit a request for the link to the firmware to be downloaded. Would it be possible to get a centralized repository where researchers can download the latest version when they are released? Much of the firmware has open source licensing which requires this anyway and this would aid in faster identification of any potential bugs that might crop up.

    I'm eagerly awaiting 3.12 and looking forward to helping out! Thanks!

  • I will restate my requests for the following (seems an appropriate topic to hijack):

    Detailed release notes with specifics on security fixes. This should include, where relevant, any CVE that a fix is in response to. This information will help inform what update cycle would be appropriate for each user.

    Data flow diagram with details on what data is used for the teleport product/feature. The app agreement is fairly vague on this.

    "1. Information Collected
    a. Device Information and Usage Data. When using the Service, we collect certain information by which someone could potentially identify you or your device, such as IP address, device name and device identifier ("Personal Data"), as well as information by which someone could not identify you or your device, including certain device data, device performance data, device configurations, network statistics, and similar data ("Usage Data")."

  • @john-wethington-0 If I'm understanding correctly your asking for something similar to a git hub repository with links to the firmware and a copy of the GPL, plus commits?

    That to me sounds reasonable all things considered since I've seen other router firmware develops do it.

  • Back to this again. Still no way to access the firmware downloads outside of your app. You are using software licensed under GPL and we still don't have a repository for the source nor a way to build it.

  • @conditionblack x100 -- companies loves to reach into the open source library jar for things to monetize, but no compliance or give back. Let's hope we see something change here.

Log in to reply