How to report a security vulnerability

This describes how you can report an OpenBMC security vulnerability privately to give the project time to address the problem before public disclosure.

The main ideas are:

• You have information about a security problem which is not yet publicly available.
• You want the problem fixed before public disclosure and you are willing to help make that happen.
• You understand the problem will be publicly disclosed.

To begin the process:

• Send an email to openbmc-security@lists.ozlabs.org with details about the security problem such as:
  • the version and configuration of OpenBMC the problem appears in
  • how to reproduce the problem
  • what are the symptoms

The OpenBMC security response team will respond to you and work to address the problem. Activities may include:

• Privately engage community members to understand and address the problem.
• Work to determine the scope and severity of the problem, such as CVSS metrics.
• Work to create or identify an existing CVE.
• Coordinate workarounds and fixes with you and the community.
• Coordinate announcement details with you, such as timing or how you want to be credited.
• Create an OpenBMC security advisory.

Alternatives to this process:

• If the problem is not severe, please write an issue to the affected repository or email the list.
• Join the OpenBMC community and fix the problem yourself.
• If you are unsure if the error is in OpenBMC (contrasted with upstream projects such as the Linux kernel or downstream projects such as a customized version of OpenBMC), please report it and we will help you route it to the correct area.
• Discuss your topic in other OpenBMC communication channels.