Please do not report security vulnerabilities through public GitHub issues.
We handle all PX4 security reports through GitHub Security Advisories on the PX4/PX4-Autopilot repository, regardless of which PX4 repo the issue was found in. This gives us a single, private disclosure channel for the whole project.
To report a vulnerability:
- Go to PX4/PX4-Autopilot.
- Click the Security tab (or ... → Security on mobile).
- Click Report a Vulnerability and fill in the advisory form.
Please include enough detail for us to reproduce and verify the issue. Logs, screenshots, photos, videos, and proof-of-concept code are all welcome.
- Acknowledgment within 7 days
- Triage and impact assessment by the maintainer team
- Coordinated disclosure with the reporter, crediting you in the advisory unless you request anonymity
If you do not receive an acknowledgment within 7 days, please follow up by pinging the release managers.
For details on which PX4 releases receive security updates, and on the secure development practices the project follows (code review, static analysis, fuzzing, input validation, compiler hardening), see the full PX4-Autopilot Security Policy.