The OpenBMC security vulnerability reporting process

This describes the OpenBMC security vulnerability reporting process which is intended to give the project time to address security problems before public disclosure.

The main pieces are:

• a procedure to privately report security vulnerabilities
• a security response team to address reported vulnerabilities
• the openbmc-security email address for the response team
• guidelines for security response team members

The basic workflow is:

1. A community member reports a problem privately to the security response team (and to the repository maintainers if known).
2. The responders (including the security response team, the repository maintainers, and the problem submitter) work to understand the problem.
3. The repository maintainer creates an OpenBMC security advisory which explains the problem, its severity, and how to protect your systems that were built on OpenBMC.
4. The responders privately engage community members to create workarounds and fixes and to negotiate disclosure dates.
5. The OpenBMC security advisory is published along with any accompanying CVEs.

Note that the OpenBMC security response team is distinct from the OpenBMC security working group which remains completely open.

The How to privately report a security vulnerability web page explains how OpenBMC community members can report a security vulnerability and get a fix for it before public announcement of the vulnerability.

The openbmc-security at lists.ozlabs.org email address is the primary communication vehicle between the person who reported the problem and the security response team, and the initial communication between the security response team members.

The Guidelines for security response team members contain collected wisdom for the response team and community members who are working to fix the problem.