u-boot/doc/develop/security.rst

.. SPDX-License-Identifier: GPL-2.0+:

Handling of security vulnerabilities
====================================

The U-Boot project takes security very seriously.  As such, we'd like to know
when a security bug is found so that it can be fixed and disclosed as quickly
as possible.

Contact
-------

The preferred initial point of contact is to send email to
`u-boot@lists.denx.de` and use `scripts/get_maintainers.pl` to also include any
relevant custodians. In addition, Tom Rini should be contacted at
`trini@konsulko.com`.

CVE assignment
--------------

The U-Boot project cannot directly assign CVEs, nor do we require them for
reports or fixes, as this can needlessly complicate the process and may delay
the bug handling. If a reporter wishes to have a CVE identifier assigned ahead
of public disclosure, they will need to coordinate this on their own.  When
such a CVE identifier is known before a patch is provided, it is desirable to
mention it in the commit message if the reporter agrees.

Non-disclosure agreements
-------------------------

The U-Boot project is not a formal body and therefore unable to enter any
non-disclosure agreements.
docs: Add a basic security document Based loosely on the Linux kernel Documentation/admin-guide/security-bugs.rst file, create a basic security document for U-Boot. In sum, security issues should be disclosed in public on the mailing list if at all possible as an initial position. Signed-off-by: Tom Rini <trini@konsulko.com> Reviewed-by: Simon Glass <sjg@chromium.org> Reviewed-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com> 2022-11-03 18:25:44 +00:00			`.. SPDX-License-Identifier: GPL-2.0+:`

			`Handling of security vulnerabilities`
			`====================================`

			`The U-Boot project takes security very seriously. As such, we'd like to know`
			`when a security bug is found so that it can be fixed and disclosed as quickly`
			`as possible.`

			`Contact`
			`-------`

			`The preferred initial point of contact is to send email to`
			`u-boot@lists.denx.de` and use `scripts/get_maintainers.pl` to also include any
			`relevant custodians. In addition, Tom Rini should be contacted at`
			`trini@konsulko.com`.

			`CVE assignment`
			`--------------`

			`The U-Boot project cannot directly assign CVEs, nor do we require them for`
			`reports or fixes, as this can needlessly complicate the process and may delay`
			`the bug handling. If a reporter wishes to have a CVE identifier assigned ahead`
			`of public disclosure, they will need to coordinate this on their own. When`
			`such a CVE identifier is known before a patch is provided, it is desirable to`
			`mention it in the commit message if the reporter agrees.`

			`Non-disclosure agreements`
			`-------------------------`

			`The U-Boot project is not a formal body and therefore unable to enter any`
			`non-disclosure agreements.`