The SECURITY file describes the GRUB project security policy. It is based on https://github.com/wireapp/wire/blob/master/SECURITY.md
Signed-off-by: Alex Burmashev <alexander.burmas...@oracle.com> Signed-off-by: Vladimir Serbinenko <phco...@google.com> Signed-off-by: Daniel Kiper <daniel.ki...@oracle.com> --- MAINTAINERS | 3 +++ SECURITY | 61 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 64 insertions(+) create mode 100644 SECURITY diff --git a/MAINTAINERS b/MAINTAINERS index 41fdf5a04..3d5d1ae97 100644 --- a/MAINTAINERS +++ b/MAINTAINERS @@ -8,6 +8,9 @@ Here is the list of current GRUB maintainers: The maintainers drive and overlook the GRUB development. +If you found a security vulnerability in the GRUB please check the SECURITY file to +get more information how to properly report this kind of bugs to the maintainers. + The GRUB development happens on the grub-devel mailing list [1]. The latest GRUB source code is available at Savannah git repository [2]. diff --git a/SECURITY b/SECURITY new file mode 100644 index 000000000..abe1a2fe4 --- /dev/null +++ b/SECURITY @@ -0,0 +1,61 @@ +Security Policy +=============== + +To report a vulnerability see "Reporting a Vulnerability" below. + + +Security Incident Policy +======================== + +Security bug reports are treated with special attention and are handled +differently from normal bugs. In particular, security sensitive bugs are not +handled in public but in private. Information about the bug and access to it +is restricted to people in the security bug group, the individual engineers +that work on fixing it, and any other person who needs to be involved for +organisational reasons. The process is handled by the security team, which +decides on the people involved in order to fix the issue. It is also +guaranteed that the person reporting the issue has visibility into the process +of fixing it. Any security issue gets prioritized according to its security +rating. The issue is opened up to the public in coordination with the release +schedule and the reporter. + + +Disclosure Policy +================= + +Everyone involved in the handling of a security issue - including the reporter - +is required to adhere to the following policy. Any information related to +a security issue must be treated as confidential and only shared with trusted +partners if necessary, for example to coordinate a release or manage exposure +of clients to the issue. No information must be disclosed to the public before +the embargo ends. The embargo time is agreed upon by all involved parties. It +should be as short as possible without putting any users at risk. + + +Supported Versions +================== + +Only the most recent version of the GRUB is supported. + +While there's currently no bug bounty program we appreciate every report. + + +Reporting a Vulnerability +========================= + +The security report has to be encrypted with the PGP keys and send to ALL email +addresses listed below. Every vulnerability report will be assessed within +72 hours of receiving it. If the outcome of the assessment is that the report +describes a security issue, the report will be transferred into an issue on the +internal vulnerability project for further processing. The reporter is updated +on each step of the process. + +* Contact: Daniel Kiper <daniel.ki...@oracle.com> and + Daniel Kiper <dki...@net-space.pl> +* PGP Key Fingerprint: BE5C 2320 9ACD DACE B20D B0A2 8C81 89F1 988C 2166 + +* Contact: Alex Burmashev <alexander.burmas...@oracle.com> +* PGP Key Fingerprint: 50A4 EC06 EF7E B84D 67E0 3BB6 2AE2 C87E 28EF 2E6E + +* Contact: Vladimir 'phcoder' Serbinenko <phco...@gmail.com> +* PGP Key Fingerprint: E53D 497F 3FA4 2AD8 C9B4 D1E8 35A9 3B74 E82E 4209 -- 2.11.0 _______________________________________________ Grub-devel mailing list Grub-devel@gnu.org https://lists.gnu.org/mailman/listinfo/grub-devel
