If you discover a security vulnerability in openpilot, please report it responsibly.
Issues that could affect vehicle safety should be reported immediately to:
- Email: security@comma.ai
- Include "SECURITY" in the subject line
- Open a GitHub Security Advisory (preferred)
- Or email security@comma.ai
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if any)
- Initial response: within 48 hours
- Status update: within 7 days
- Fix timeline: depends on severity
This project implements multiple layers of security:
- CBMC: Bounded model checking for C safety code
- TLA+: State machine verification for selfdrived
- SPIN: Protocol verification for msgq
- libFuzzer: Continuous fuzzing with sanitizers
- MISRA C:2012: Compliance checking for safety-critical C code
- SonarCloud: Code quality and security scanning
- Ruff: Python linting with security rules
- Dependabot: Automated security updates
- pip-audit: Vulnerability scanning (manual)
| Version | Supported |
|---|---|
| master | ✅ |
| develop | ✅ |
| < 0.9 | ❌ |