If you discover a security issue in sparkplug-fuzzer.py itself — for example, a way the fuzzer could be coerced into attacking an unintended target, a privilege-escalation surface, or a bug that causes uncontrolled traffic generation against the broker it connects to — please report it privately.

Email: research@bishopfox.com

Please include:

• A description of the issue
• Steps to reproduce (target broker, command line, sample output)
• Affected version (sparkplug-fuzzer.py --version or the commit SHA)
• Your assessment of impact

We aim to acknowledge new reports within 5 business days and provide a resolution timeline within 10 business days.

This tool is designed to surface issues in third-party Sparkplug B brokers, edge nodes, and host applications. Findings against those systems should be reported to the affected vendor under their disclosure policy. Bishop Fox is not a clearinghouse for vendor findings — please coordinate directly with the vendor.

In scope:

• Vulnerabilities in code under this repository
• Vulnerabilities that allow misuse of the tool to attack systems beyond the configured target
• Supply-chain risks in the --setup flow

Out of scope:

• Vulnerabilities in Eclipse Tahu (sparkplug_b.py, array_packer.py, sparkplug_b_pb2.py) — these are external dependencies; report upstream to https://github.com/eclipse/tahu
• Vulnerabilities in third-party MQTT brokers tested with the fuzzer — report to the vendor
• Findings produced by the fuzzer against test systems — those are output, not bugs

Researchers acting in good faith to identify and report vulnerabilities under this policy will not be subject to legal action by Bishop Fox.