Lines Matching +full:openbmc +full:- +full:security
1 # How to report a security vulnerability
3 This describes how you can report an OpenBMC security vulnerability privately to
8 - You have information about a security problem or vulnerability which is not
10 - You want the problem fixed before public disclosure and you are willing to
12 - You understand the problem will eventually be publicly disclosed.
14 To begin the process: Privately contact the OpenBMC security response team and
17 - Suggest sending an email. Use `openbmc-security at lists.ozlabs.org`.
18 - If you know which source code repository is affected, find the repository
20 not, the security response team will help route the problem.
21 - Include details about the security problem such as:
22 - The version and configuration of OpenBMC the problem appears in.
23 - How to reproduce the problem.
24 - What are the symptoms.
25 - As the problem reporter, you will be included in the problem response.
27 Please note the OpenBMC project has multiple source code repositories. Each has
29 the security response team can help you route the problem.
31 When the project owners get a new security problem, they will create a [GitHub
32 security advisory][] in their repository and begin work. The advisory has draft
36 - The problem reporter.
37 - The OpenBMC security response team.
38 - Developers responsible for fixing the problem.
42 - The OpenBMC [CVE Numbering Authority (CNA)][] (members of the OpenBMC security
44 - Privately engage community members to understand and address the problem.
45 Anyone brought onboard should be given a link to the OpenBMC [security
47 - Work to determine the scope and severity of the problem, such as [CVSS
49 - Coordinate workarounds and fixes with you and the community.
50 - Coordinate announcement details with you, such as timing or how you want to be
52 - At the agreed time, publish the OpenBMC security advisory, reveal the fix, and
56 (SPECIAL REPORT CMU/SEI-2017-SR-022) for additional considerations.
60 - If the problem is not severe, please write an issue to the affected repository
62 - Join the OpenBMC community and fix the problem yourself.
63 - If you are unsure if the error is in OpenBMC (contrasted with upstream
65 version of OpenBMC), please report it and we will help you route it to the
67 - Discuss your topic in other
68 [OpenBMC communication channels](https://github.com/openbmc/openbmc).
70 [security response team guidelines]: ./obmc-security-response-team-guidelines.md
75 [github security advisory]:
76 …https://docs.github.com/en/code-security/repository-security-advisories/creating-a-repository-secu…