541e68d0ee
Based loosely on the Linux kernel Documentation/admin-guide/security-bugs.rst file, create a basic security document for U-Boot. In sum, security issues should be disclosed in public on the mailing list if at all possible as an initial position. Signed-off-by: Tom Rini <trini@konsulko.com> Reviewed-by: Simon Glass <sjg@chromium.org> Reviewed-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
33 lines
1.1 KiB
ReStructuredText
33 lines
1.1 KiB
ReStructuredText
.. SPDX-License-Identifier: GPL-2.0+:
|
|
|
|
Handling of security vulnerabilities
|
|
====================================
|
|
|
|
The U-Boot project takes security very seriously. As such, we'd like to know
|
|
when a security bug is found so that it can be fixed and disclosed as quickly
|
|
as possible.
|
|
|
|
Contact
|
|
-------
|
|
|
|
The preferred initial point of contact is to send email to
|
|
`u-boot@lists.denx.de` and use `scripts/get_maintainers.pl` to also include any
|
|
relevant custodians. In addition, Tom Rini should be contacted at
|
|
`trini@konsulko.com`.
|
|
|
|
CVE assignment
|
|
--------------
|
|
|
|
The U-Boot project cannot directly assign CVEs, nor do we require them for
|
|
reports or fixes, as this can needlessly complicate the process and may delay
|
|
the bug handling. If a reporter wishes to have a CVE identifier assigned ahead
|
|
of public disclosure, they will need to coordinate this on their own. When
|
|
such a CVE identifier is known before a patch is provided, it is desirable to
|
|
mention it in the commit message if the reporter agrees.
|
|
|
|
Non-disclosure agreements
|
|
-------------------------
|
|
|
|
The U-Boot project is not a formal body and therefore unable to enter any
|
|
non-disclosure agreements.
|