On Thu, Nov 03, 2022 at 09:05:59PM +0100, Heinrich Schuchardt wrote: > On 11/3/22 19:25, Tom Rini wrote: > > Based loosely on the Linux kernel > > Documentation/admin-guide/security-bugs.rst file, create a basic > > security document for U-Boot. In sum, security issues should be > > disclosed in public on the mailing list if at all possible as an initial > > position. > > > > Signed-off-by: Tom Rini <tr...@konsulko.com> > > --- > > doc/develop/index.rst | 1 + > > doc/develop/security.rst | 32 ++++++++++++++++++++++++++++++++ > > 2 files changed, 33 insertions(+) > > create mode 100644 doc/develop/security.rst > > > > diff --git a/doc/develop/index.rst b/doc/develop/index.rst > > index 5934d9ffb115..04322efe59fd 100644 > > --- a/doc/develop/index.rst > > +++ b/doc/develop/index.rst > > @@ -15,6 +15,7 @@ General > > process > > release_cycle > > system_configuration > > + security > > Should we get this into alphabetic order? >
Whoops, can you fix when applying please? > > sending_patches > > > > Implementation > > diff --git a/doc/develop/security.rst b/doc/develop/security.rst > > new file mode 100644 > > index 000000000000..84b130646f31 > > --- /dev/null > > +++ b/doc/develop/security.rst > > @@ -0,0 +1,32 @@ > > +.. SPDX-License-Identifier: GPL-2.0+: > > + > > +Handling of security vulnerabilities > > +==================================== > > + > > +The U-Boot project takes security very seriously. As such, we'd like to > > know > > +when a security bug is found so that it can be fixed and disclosed as > > quickly > > +as possible. > > + > > +Contact > > +------- > > + > > +The preferred initial point of contact is to send email to > > +`u-boot@lists.denx.de` and use `scripts/get_maintainers.pl` to also > > include any > > +relevant custodians. In addition, Tom Rini should be contacted at > > +`tr...@konsulko.com`. > > + > > +CVE assignment > > +-------------- > > + > > +The U-Boot project cannot directly assign CVEs, nor do we require them for > > +reports or fixes, as this can needlessly complicate the process and may > > delay > > +the bug handling. If a reporter wishes to have a CVE identifier assigned > > ahead > > +of public disclosure, they will need to coordinate this on their own. When > > +such a CVE identifier is known before a patch is provided, it is desirable > > to > > +mention it in the commit message if the reporter agrees. > > + > > +Non-disclosure agreements > > +------------------------- > > + > > +The U-Boot project is not a formal body and therefore unable to enter any > > +non-disclosure agreements. > > Otherwise > Reviewed-by: Heinrich Schuchardt <xypron.g...@gmx.de> -- Tom
signature.asc
Description: PGP signature
