If you uncover a security issue with micro-http, please write to us on firecracker-security-disclosures@amazon.com.
Once the Firecracker maintainers become aware (or are made aware) of a security issue, they will immediately assess it. Based on impact and complexity, they will determine an embargo period (if externally reported, the period will be agreed upon with the external party).
During the embargo period, maintainers will prioritize developing a fix over other activities. Within this period, maintainers may also notify a limited number of trusted parties via a pre-disclosure list, providing them with technical information, a risk assessment, and early access to a fix.
The external customers are included in this group based on the scale of their micro-http usage in production. The pre-disclosure list may also contain significant external security contributors that can join the effort to fix the issue during the embargo period.
At the end of the embargo period, maintainers will publicly release information about the security issue together with the micro-http patches that mitigate it.