Responsible vulnerability research and coordinated disclosure from OpenSensor Engineering LLC. All disclosures follow industry-standard coordinated disclosure practices.
OpenSensor Engineering LLC notifies affected vendors prior to public disclosure and provides reasonable time to respond and remediate. Where vulnerabilities exist in mask ROM and cannot be patched by the vendor, we coordinate with downstream vendors and the relevant CNA before publishing. We file CVEs through MITRE when vendor CNAs are not applicable.
Send vulnerability reports to matt@opensensor.io with the recommended subject line Security Report — <target>. Include reproduction steps, affected versions, and any relevant artifacts. PGP available on request.
lightnvr.comowlbooks.aiopensensor.ioFindings on third-party hardware we have researched (e.g., Ingenic SoCs) are coordinated through the relevant vendor and CNA.
OpenSensor Engineering LLC will not pursue legal action against good-faith security research conducted within this scope and reported through this channel.
Reporter hall of fame — coming soon. We credit researchers who follow this policy unless they request anonymity.
Security is a service line at OpenSensor Engineering. We bring the same hands-on approach from our public CVE work to private engagements.
Static and dynamic analysis of vendor firmware, boot ROMs, and SPL chains. Reverse engineering, signature audits, and exploit-feasibility assessment on real silicon.
Architecture review and adversarial testing of secure-boot implementations: signature verification correctness, key handling, anti-rollback, and pre-verification attack surface.
Dependency provenance, build-pipeline integrity, and SBOM hygiene for projects that ship open-source firmware or rely on upstream embedded toolchains.
The Ingenic T31 boot ROM compares only a single 32-bit word during RSA-2048/SHA-256 SPL verification, reducing effective secure boot strength to 32 bits. Affects all T31X silicon (mask ROM; cannot be patched).
The Ingenic T41 boot ROM parses and executes an SPL init table before evaluating secure boot state, providing a memory write primitive that bypasses signature verification entirely. Confirmed on T41 hardware (mask ROM; cannot be patched).
Journalists and vendor coordinators handling embargoed disclosures should use this dedicated channel. Please include any embargo dates and coordinating CNA in your initial message.
Press & Disclosure Inquiries