blob: 9a304b4be07774e272f77f36f1781d52c5679969 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
|
# How to report a security vulnerability
This describes how you can report an OpenBMC security vulnerability
privately to give the project time to address the problem before
public disclosure.
The main ideas are:
- You have information about a security problem which is not yet
publicly available.
- You want the problem fixed before public disclosure and
you are willing to help make that happen.
- You understand the problem will be publicly disclosed.
To begin the process:
- Send an email to `openbmc-security@lists.ozlabs.org` with details
about the security problem such as:
- the version and configuration of OpenBMC the problem appears in
- how to reproduce the problem
- what are the symptoms
The OpenBMC security response team will respond to you and work to
address the problem. Activities may include:
- Privately engage community members to understand and address the
problem.
- Work to determine the scope and severity of the problem,
such as [CVSS metrics](https://www.first.org/cvss/calculator/3.0).
- Work to create or identify an existing [CVE](http://cve.mitre.org/about/index.html).
- Coordinate workarounds and fixes with you and the community.
- Coordinate announcement details with you, such as timing or
how you want to be credited.
- Create an OpenBMC security advisory.
Alternatives to this process:
- If the problem is not severe, please write an issue to the affected
repository or email the list.
- Join the OpenBMC community and fix the problem yourself.
- If you are unsure if the error is in OpenBMC (contrasted with
upstream projects such as the Linux kernel or downstream projects
such as a customized version of OpenBMC), please report it and we
will help you route it to the correct area.
- Discuss your topic in other [OpenBMC communication channels](https://github.com/openbmc/openbmc).
|
