mirror of
				https://github.com/smaeul/u-boot.git
				synced 2025-10-26 01:28:14 +00:00 
			
		
		
		
	Based loosely on the Linux kernel Documentation/admin-guide/security-bugs.rst file, create a basic security document for U-Boot. In sum, security issues should be disclosed in public on the mailing list if at all possible as an initial position. Signed-off-by: Tom Rini <trini@konsulko.com> Reviewed-by: Simon Glass <sjg@chromium.org> Reviewed-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
		
			
				
	
	
		
			33 lines
		
	
	
		
			1.1 KiB
		
	
	
	
		
			ReStructuredText
		
	
	
	
	
	
			
		
		
	
	
			33 lines
		
	
	
		
			1.1 KiB
		
	
	
	
		
			ReStructuredText
		
	
	
	
	
	
| .. SPDX-License-Identifier: GPL-2.0+:
 | |
| 
 | |
| Handling of security vulnerabilities
 | |
| ====================================
 | |
| 
 | |
| The U-Boot project takes security very seriously.  As such, we'd like to know
 | |
| when a security bug is found so that it can be fixed and disclosed as quickly
 | |
| as possible.
 | |
| 
 | |
| Contact
 | |
| -------
 | |
| 
 | |
| The preferred initial point of contact is to send email to
 | |
| `u-boot@lists.denx.de` and use `scripts/get_maintainers.pl` to also include any
 | |
| relevant custodians. In addition, Tom Rini should be contacted at
 | |
| `trini@konsulko.com`.
 | |
| 
 | |
| CVE assignment
 | |
| --------------
 | |
| 
 | |
| The U-Boot project cannot directly assign CVEs, nor do we require them for
 | |
| reports or fixes, as this can needlessly complicate the process and may delay
 | |
| the bug handling. If a reporter wishes to have a CVE identifier assigned ahead
 | |
| of public disclosure, they will need to coordinate this on their own.  When
 | |
| such a CVE identifier is known before a patch is provided, it is desirable to
 | |
| mention it in the commit message if the reporter agrees.
 | |
| 
 | |
| Non-disclosure agreements
 | |
| -------------------------
 | |
| 
 | |
| The U-Boot project is not a formal body and therefore unable to enter any
 | |
| non-disclosure agreements.
 |