The following versions receive security updates:

We receive security vulnerability reports through GitHub Security Advisories.

To begin a report, go to the PX4/PX4-Autopilot repository and click on the Security tab. If you are on mobile, click the ... dropdown menu, then click Security.

Click Report a Vulnerability to open the advisory form. Fill in the advisory details form. Make sure your title is descriptive and the description contains all relevant details needed to verify the issue. We welcome logs, screenshots, photos, and videos.

At the bottom of the form, click Submit report.

1. Acknowledgment: The maintainer team will acknowledge your report within 7 days.
2. Triage: We will assess severity and impact and communicate next steps.
3. Disclosure: We coordinate disclosure with the reporter. We follow responsible disclosure practices and will credit reporters in the advisory unless they request anonymity.

If you do not receive acknowledgment within 7 days, please follow up by emailing the release managers.

The PX4 development team applies the following practices to reduce security risk:

• Code review: All changes require peer review before merging.
• Static analysis: clang-tidy runs on every pull request with warnings treated as errors.
• Fuzzing: A daily fuzzing pipeline using Google fuzztest tests MAVLink message handling and GNSS driver protocol parsing.
• Input validation: All external inputs (MAVLink messages, RC signals, sensor data) are validated against expected ranges before use.
• Compiler hardening: Builds use -Wall -Werror, stack protectors, and other hardening flags where supported by the target platform.