There are two different kinds of "security issue" that could come up around this project, and they get handled very differently. Read this before you report anything.
This repo documents hardware and firmware, it does not run any of it, and it's not a target for reporting. If you found a real, working vulnerability in a deployed Flock Safety camera, backend service, or app, report it straight to Flock Safety, not here.
Flock Safety runs a vulnerability disclosure program through HackerOne: hackerone.com/flock
You can also reach their security team directly at securityquestions@flocksafety.com.
Do not open a public GitHub issue in this repo describing a working, unpatched exploit against live hardware or infrastructure. That puts real deployed devices and the people who rely on them at risk before Flock has a chance to fix anything. See DISCLOSURE.md for the fuller reasoning and our policy on what we will and won't publish here.
This includes things like:
- The repo accidentally includes something sensitive, like a private key, a real credential, unredacted personal data, or a specific device's serial number, IMEI, or MAC address.
- A documented "finding" turns out to be flat out wrong in a way that could mislead someone or cause harm if acted on.
- Something in the repo could be read as active exploit code rather than documentation, and shouldn't be here per our disclosure policy.
For these, open a private report if possible, or contact a maintainer directly rather than posting publicly, especially if it involves exposed secrets or personal data. We'll fix it and, if needed, scrub it from history.
- Documentation accuracy (wrong chip ID, wrong pinout, wrong FCC number, and so on). These are just regular issues or pull requests, not security reports, but we're listing them here since people sometimes aren't sure.
- Accidental inclusion of sensitive or personal data in this repo.
- Genuinely new hardware or firmware findings that should go through the disclosure process before landing here in detailed form.
- Attacks against Flock Safety's live production systems. Take those to Flock directly.
- General complaints about the company, its products, or its customers that aren't tied to a specific technical finding.
This is a documentation project, not software with versioned releases, so there's no patch cadence to track here. "Latest" is always the current state of the main branch.