diff options
| author | Tom Rini | 2022-11-03 14:25:44 -0400 |
|---|---|---|
| committer | Heinrich Schuchardt | 2022-11-06 10:50:04 +0100 |
| commit | 541e68d0ee61cb7141546481371b4cda2c33cf5e (patch) | |
| tree | 2849253dc719870f293e8a3dcf46c89527b817b9 /doc | |
| parent | f67cc2f05676da86a3c591f1938393439a47a4af (diff) | |
docs: Add a basic security document
Based loosely on the Linux kernel
Documentation/admin-guide/security-bugs.rst file, create a basic
security document for U-Boot. In sum, security issues should be
disclosed in public on the mailing list if at all possible as an initial
position.
Signed-off-by: Tom Rini <trini@konsulko.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
Reviewed-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
Diffstat (limited to 'doc')
| -rw-r--r-- | doc/develop/index.rst | 3 | ||||
| -rw-r--r-- | doc/develop/security.rst | 32 |
2 files changed, 34 insertions, 1 deletions
diff --git a/doc/develop/index.rst b/doc/develop/index.rst index 5934d9ffb11..97c526e997e 100644 --- a/doc/develop/index.rst +++ b/doc/develop/index.rst @@ -14,8 +14,9 @@ General patman process release_cycle - system_configuration + security sending_patches + system_configuration Implementation -------------- diff --git a/doc/develop/security.rst b/doc/develop/security.rst new file mode 100644 index 00000000000..84b130646f3 --- /dev/null +++ b/doc/develop/security.rst @@ -0,0 +1,32 @@ +.. SPDX-License-Identifier: GPL-2.0+: + +Handling of security vulnerabilities +==================================== + +The U-Boot project takes security very seriously. As such, we'd like to know +when a security bug is found so that it can be fixed and disclosed as quickly +as possible. + +Contact +------- + +The preferred initial point of contact is to send email to +`u-boot@lists.denx.de` and use `scripts/get_maintainers.pl` to also include any +relevant custodians. In addition, Tom Rini should be contacted at +`trini@konsulko.com`. + +CVE assignment +-------------- + +The U-Boot project cannot directly assign CVEs, nor do we require them for +reports or fixes, as this can needlessly complicate the process and may delay +the bug handling. If a reporter wishes to have a CVE identifier assigned ahead +of public disclosure, they will need to coordinate this on their own. When +such a CVE identifier is known before a patch is provided, it is desirable to +mention it in the commit message if the reporter agrees. + +Non-disclosure agreements +------------------------- + +The U-Boot project is not a formal body and therefore unable to enter any +non-disclosure agreements. |