Gitiles
Code Review Sign In
gerrit.openbmc.org / openbmc / docs / 0a97a5d7175e5dfe81609b7a539e1319514d2f7a^! / .
commit0a97a5d7175e5dfe81609b7a539e1319514d2f7a[log] [tgz]
authorJoseph Reynolds <jrey@us.ibm.com>Mon Jul 16 16:12:02 2018 -0500
committerGunnar Mills <gmills@us.ibm.com>Mon Oct 29 14:25:28 2018 +0000
treee2bfa9d058ab87844fd6b728ca3decbebb6e295a
parent5b4f5d6b242391c43fe979b895a31c3820a967b2 [diff]
Create security vulnerability reporting mechanism

This documents the process to privately report OpenBMC
security vulnerabilities with the intention of giving
time to the project to fix the problem before public
disclosure.

This first commit establishes the project's scope.
The next commit:
 - provides guidelines to the OpenBMC security response team as it
   works to address the security issues and disclose publicly
 - establishes the "How to report security vulnerabilities" web
   page to tell problem submitters what to include in their report
   and what to expect from the OpenBMC security response team

Change-Id: Ib90070f998a815ba3f4430c7eb6ff84b3934e012
Signed-off-by: Joseph Reynolds <jrey@us.ibm.com>

diff --git a/security/obmc-security-response-team.md b/security/obmc-security-response-team.md
new file mode 100644
index 0000000..7c42698
--- /dev/null
+++ b/security/obmc-security-response-team.md

@@ -0,0 +1,38 @@
+# The OpenBMC security vulnerability reporting process
+
+This describes the OpenBMC security vulnerability reporting process
+which is intended to give the project time to address security
+problems before public disclosure.
+
+The main pieces are:
+ - a procedure to privately report security vulnerabilities
+ - a security response team to address reported vulnerabilities
+ - the openbmc-security email address for the response team
+ - guidelines for security response team members
+
+The basic workflow is:
+ 1. A community member reports a problem privately to the security
+    response team.
+ 2. The response team works to understand the problem and privately
+    engages community members to resolve it.
+ 3. Workarounds and fixes are created, reviewed, and approved.
+ 4. The security response team creates an OpenBMC security advisory
+    which explains the problem, its severity, and how to protect
+    your systems that were built on OpenBMC.
+
+Note that the OpenBMC security response team is distinct from the
+OpenBMC security working group which remains completely open.
+
+The [How to privately report a security vulnerability](./how-to-report-a-security-vulnerability.md)
+web page explains how OpenBMC community members can report a security
+vulnerability and get a fix for it before public announcement of the
+vulnerability.
+
+The `openbmc-security@lists.ozlabs.org` email address is the primary
+communication vehicle between the person who reported the problem and
+the security response team, and the initial communication between the
+security response team members.
+
+The [Guidelines for security response team members](./obmc-security-response-team-guidelines.md)
+contain collected wisdom for the response team and community members
+who are working to fix the problem.