Per the terms of the BSD-2-Clause license, libcoap is offered "as is" and without any guarantee or warranty pertaining to its operation. While every reasonable effort is made by its maintainers to ensure the product remains free of security vulnerabilities, users are ultimately responsible for conducting their own evaluations of each software release.

If you believe you've uncovered a security vulnerability and wish to report it confidentially, you may do so via email. Please note that any reported vulnerabilities MUST meet all the following conditions:

• Affects the most recent stable release of libcoap, or a current beta release
• Is reproducible following a prescribed set of instructions

Please note that we DO NOT accept reports generated by automated tooling which merely suggest that a file or file(s) may be vulnerable under certain conditions, as these are most often innocuous.

If you believe that you've found a vulnerability which meets all of these conditions, please email a brief description of the suspected bug and instructions for reproduction to libcoap-security@tzi.org. Please do NOT create a public GitHub issue.

As libcoap is provided as free open source software, we do not offer any monetary compensation for vulnerability or bug reports, however your contributions are greatly appreciated.