Securing Software Updates for Automobiles


We welcome questions, feedback, and suggestions on any aspect of this project. Feel free to email feedback to

Anyone in the automotive industry, open source community, or security community is welcome to join the Uptane Forum. This is a fairly low volume mailing list (a few messages a week) and is used to disseminate large news items, or to plan in person Uptane workshops.

Standards Development

The Uptane standardization initiative is under the direction of the Uptane Steering Committee and is carried out on a mailing list created specifically for this purpose. This mailing list is higher volume (often multiple messages a day) and is mainly meant to coordinate the standardization effort. To be added to this list, send an email to

Membership Status in JDF/Uptane

We welcome all interested parties to join either mailing list, independent of
whether or not your organization joins the Joint Development Foundation Projects, LLC, Uptane Series. (However, if your organization does wish to join this group, please contact for more information on how to do so.)

Code Contributions

To make contributions to this or any other Uptane repository on GitHub, please submit a pull request to this repository using these development instructions. If submitting any new software feature or change, please include or update appropriate unit tests.

All submitted pull requests undergo review and automated testing, including, but not limited to:

Code Issues, Bugs, Feature Requests

If you wish to report a bug or a security issue, or introduce a new feature to the specification, please open an issue on this.

Security Audits

We welcome security audits of the Uptane design and vulnerability reports of the design or any code in the Uptane GitHub namespace. Please contact lab director Justin Cappos or maintainer Lois Anne DeLong. Uptane design and implementation is defined in the Uptane Standards document and supplemented by the Deployment Best Practices document.

Should the information be highly sensitive, auditors / reporters may employ PGP encryption in an email to Justin Cappos using the public key whose PGP fingerprint is: E9C0 59EC 0D32 64FA B35F 94AD 465B F9F6 F8EB 475A.

Audits of TUF alone (which Uptane employs) should be submitted per these instructions to the TUF project team.