This package follows the ROS 2 vulnerability disclosure guidance in REP-2006.
px4_msgs contains only ROS 2 message and service definitions, which are generated and synchronized automatically from PX4-Autopilot. Vulnerabilities in the content of the definitions or in PX4 itself should be reported to the PX4 project. This policy covers the packaging, build, and CI tooling maintained in this repository.
Please do not open a public GitHub issue for security-sensitive reports.
Instead, use one of the following private channels:
- Open a private security advisory on this repository (Security → Report a vulnerability), or
- Contact the maintainers listed in
package.xml.
For vulnerabilities affecting PX4 more broadly, follow the PX4 security policy.
When reporting, please include:
- A description of the vulnerability and its potential impact.
- Steps to reproduce or a proof of concept.
- The affected branch / version (e.g.
main,release/1.17).
We will acknowledge your report as soon as possible and keep you informed of the progress towards a fix.