Vulnerability Disclosure Policy

IAR Systems® welcomes responsible disclosure of vulnerabilities in any of our products. Security researchers are invited to privately contact us by email with the details of vulnerabilities found, optionally encrypting any sensitive information with Open PGP using our public key below.

Please refrain from any wider publication until IAR Systems agrees to wider publication, which may need to wait until a security patch has been successfully rolled out and affected customers protected.

Our contact details can be found in the file "security.txt", which contains the email address security-alert@iar.com and our GPG public key, which you can use to encrypt information about the vulnerability.

We will endeavor to contact you within a week in response to your email after our vulnerability triage. But note that we may need to coordinate our vulnerability disclosure with other vendors using our products, so we ask you to be patient - this is for the benefit of all for responsible disclosure.

If you find a vulnerability in one of our products that does result in a security patch, if you desire, we will publicly acknowledge your help in identifying the vulnerability in the Security Advisory and/or on this website.

The products are: 

IAR Embedded Workbench®

IAR Build Tools™ 

IAR Visual State™ 

IAR Flash Tool 

IAR Visual Studio Code extensions

IAR Embedded Trust®

IAR Embedded Secure IP™ 

Secure Desktop Provisioner™

Secure Deploy-Prototyping

References

  • IAR Systems® "security.txt"
  • IAR Systems® GPG public key
  • ISO/IEC 29147:2018 Vulnerability disclosure
  • ISO/IEC 30111:2019 Vulnerability handling processes
  • Code of Practice for Consumer IoT Security, UK Government : Department for Digital, Culture, Media & Sport

We do no longer support Internet Explorer. To get the best experience of iar.com, we recommend upgrading to a modern browser such as Chrome or Edge.