Security disclosure

Report a security issue affecting the Rust IoT Gateway path

This page is Combotto's low-profile disclosure route for supplier-side vulnerability reports affecting the gateway-first v1 product line. It is operational guidance for coordinated disclosure, not a standalone managed PSIRT or compliance service.

In scope

Public or customer reports affecting Rust-Iot-Gateway
Dependency advisories with plausible gateway impact
Scanner or audit findings that can be tied to a gateway release line
Internal discoveries that should follow the same reporting discipline

Out of scope

Sales, consulting, or general contact requests
Issues outside the current gateway-first product line
Requests for CSAF, regulator-submission automation, or export feeds
Testing that causes privacy violations, destructive changes, or service disruption

How to report

Send the report to tb@combotto.io

Use a dedicated email thread rather than the general contact form so the report lands in the right workflow. Include the smallest evidence set that makes validation possible.

Please include

Affected product, component, or dependency
Affected version or release line when known
A concise summary of the issue and why it matters
Advisory links, reproduction notes, or scan evidence
Your contact details and preferred follow-up path

What to expect

Initial acknowledgement within 24 hours
Manual scope and validation review after intake
Direct follow-up if more evidence is required
Coordinated communication on remediation and publication timing

Safe harbor

If you act in good faith, stay within the in-scope product line, avoid privacy violations, data destruction, service disruption, social engineering, and public disclosure before coordination, Combotto will treat your work as authorized security research rather than hostile activity.

Coordination

This path is manual-first. After validation, Combotto will confirm whether the issue is in scope, which supported release lines are affected, and whether the next step is track, attend, or act. If a report is out of scope or tied to an unsupported line, that will be stated explicitly.

Published advisories

Public Rust IoT Gateway advisories are published at /security/advisories/. Use this page for new reports and coordination expectations; use the advisory archive when you need the current public publication home.

Before you send

Keep the report specific

Reports move faster when the affected gateway path, version range, and evidence source are named directly instead of described in abstract terms.

If you already know the issue is customer-visible, known exploited, or likely to cross a reporting threshold, say that plainly in the first message.

Use this inbox only for security reports. For audit or consulting inquiries, use the normal contact route.

Do not include secrets, production credentials, or unrelated customer data unless there is no safer way to explain the issue.