OPENSENSOR ENGINEERING

Security Disclosures

Responsible vulnerability research and coordinated disclosure from OpenSensor Engineering LLC. All disclosures follow industry-standard coordinated disclosure practices.

Vulnerability Disclosure Policy

OpenSensor Engineering LLC notifies affected vendors prior to public disclosure and provides reasonable time to respond and remediate. Where vulnerabilities exist in mask ROM and cannot be patched by the vendor, we coordinate with downstream vendors and the relevant CNA before publishing. We file CVEs through MITRE when vendor CNAs are not applicable.

How to report

Send vulnerability reports to matt@opensensor.io with the recommended subject line Security Report — <target>. Include reproduction steps, affected versions, and any relevant artifacts. PGP available on request.

Response SLA

  • Initial reply within 5 business days
  • Triage update within 10 business days
  • Remediation timeline coordinated with the affected vendor

Scope

  • lightnvr.com
  • owlbooks.ai
  • opensensor.io

Findings on third-party hardware we have researched (e.g., Ingenic SoCs) are coordinated through the relevant vendor and CNA.

Safe harbor

OpenSensor Engineering LLC will not pursue legal action against good-faith security research conducted within this scope and reported through this channel.

Acknowledgments

Reporter hall of fame — coming soon. We credit researchers who follow this policy unless they request anonymity.

Security Services

Security is a service line at OpenSensor Engineering. We bring the same hands-on approach from our public CVE work to private engagements.

Firmware Analysis

Static and dynamic analysis of vendor firmware, boot ROMs, and SPL chains. Reverse engineering, signature audits, and exploit-feasibility assessment on real silicon.

Secure Boot Review

Architecture review and adversarial testing of secure-boot implementations: signature verification correctness, key handling, anti-rollback, and pre-verification attack surface.

OSS Supply-Chain Review

Dependency provenance, build-pipeline integrity, and SBOM hygiene for projects that ship open-source firmware or rely on upstream embedded toolchains.

Security Contact

To report a vulnerability or coordinate a disclosure:

matt@opensensor.io

Press & Coordinated Disclosure

Journalists and vendor coordinators handling embargoed disclosures should use this dedicated channel. Please include any embargo dates and coordinating CNA in your initial message.

Press & Disclosure Inquiries