Vulnerability Management and Disclosure Policy

We take security seriously at Yubico, and are committed to resolving vulnerabilities as quickly as possible. Once a vulnerability has been identified, and the mitigation or resolution has been identified as well, we will issue an advisory.

Our Security Response Team (SRT) reviews all vulnerabilities that are found and reported to us, as well as any issues that we find during our own day-to-day activities and quality assurance testing.

If you discover an issue with our product, contact us directly so that we can evaluate the vulnerability and provide the mitigation or advisory within 30 days. To contact us, send an email to security@yubico.com and provide as much information as possible.

We request that you follow responsible reporting practices and allow us time to evaluate and respond to the vulnerability before discussing the issue in any social media or public forums, or posting information on how to exploit the issue.

To submit information on a vulnerability or flaw in our product (hardware or software), use the PGP key posted below. Using this key ensures secure communications are sent to us. Note that the security@yubico.com email address is meant for reporting vulnerabilities only and is not intended to be used for other security or support issues. For general support issues, see Yubico Support.

How We Report Vulnerabilities

If you want to be notified of security advisories, subscribe to our security advisory email list or Security Advisory RSS feed. You can choose to opt out of the advisory email list at any time.

Yubico Security Advisories

For a list of all security advisories issued by Yubico, in chronological order, see Yubico Security Advisories. To report security issues, email security@yubico.com. Reporters may use our PGP public key.