Id like to formally request a by invitation firmware documentation and modifications space where vulnerabilites and other security and safety associated topics can be discussed, without danger of that information being leaked.
Hi,
There can be no guarantee of integrity on a community site like this, it is inherently leaky and open. There are layers of permissions, but it isn’t something I particularly want to micromanage.
Proper disclosure of vulnerabilities should be submitted via email to the point of contact you have to Victron. We receive a lot of “speculative” disclosures from people looking for bounties and such, usually AI generated, generic, and a waste of time, so it can take a bit of persistence to find the right person of seniority to actually look closely and then escalate to engineering if appropriate.
Actual vulnerability is extremely rare, to the point where I can’t think of a case that the “discovered” vulnerability was not just a misunderstanding of intended behaviour, accentuated by unclear documentation or user interface.
For example we had a reported vulnerability for VRM where users thought they had found a way to get access to other users sites.
This was only possible when that original user had overridden the default and made their site publicly shareable, but this wasn’t clear enough in the front end UI. This UI has been improved, though the ability to publicly share your VRM site still exists, and wasn’t ever insecure.
I’d say the closest we have to an invitation only group is the Victron Software Integrators, they have their own co-ordination seperate to me to manage them, and they have spaces to discuss deeper topics on the Victron stack that they don’t want to be public (though usually for commercial reasons, rather than exploitable vulnerabilities).
4 Likes