Lines Matching +full:controlled +full:- +full:remotely
13 - Keep problems private until announce.
14 - Work with diligence.
15 - Keep stakeholders informed.
21 - Within a day, acknowledge you received the report. Note that reports are
23 - Communicate by opening the GitHub draft security advistory as soon as the
29 - Determine if the problem is new or known.
30 - Determine if the problem is in OpenBMC.
31 - If the problem is in a project that OpenBMC uses, re-route the problem to
33 - Note that the problem may be in a customized version of OpenBMC but not
35 - Determine which OpenBMC areas should address the problem.
36 - [Create the draft security advisory][] and populate its fields.
37 - The Ecosystem would normally be "OpenBMC" and the package name is
39 - Please describe when the problem was introduced to help users learn if
44 - Use private channels, for example, email, GitHub draft security advistory,
46 - Inform contacts this is private work as part of the OpenBMC security
48 - Coordinate with all collaborators and keep them informed.
51 (SPECIAL REPORT CMU/SEI-2017-SR-022) may guide the process.
55 - Submit the problem to another security response team, for example, the
57 - Privately engage an OpenBMC maintainer or subject matter expert.
61 a remotely exploitable or low complexity attack that has high impact to
63 2. Avoid pre-announcing problems. Be especially careful with high severity
67 - Consider [contributing][] using a Gerrit [private change][] if everyone
69 - Consider using [Patch set][] emails to make reviews accessible to all
72 - Publish a security advisory to the affected OpenBMC repository.
73 - Make the Gerrit review publicly viewable.
74 - Publish the CVE in the CVE database.
80 [OpenBMC Security Advisory Template][]. Add the openbmc security-response group
87 For example: This fixes CVE-yyyy-nnnnn. Doing so helps downstream security
93 public) publish the security advisory, and email the security-response team.
95 [security vulnerability reporting process]: ./obmc-security-response-team.md
101 https://github.com/openbmc/docs/blob/master/CONTRIBUTING.md#submitting-changes-via-gerrit-server
103 https://github.com/openbmc/docs/blob/master/release/release-notes.md
105 https://gerrit-review.googlesource.com/Documentation/intro-user.html#private-changes
108 …https://docs.github.com/en/code-security/repository-security-advisories/creating-a-repository-secu…
109 [openbmc security advisory template]: obmc-github-security-advisory-template.md
115 - Thank you for reporting this.
116 - Share preliminary results of the analysis.
117 - Share preliminary OpenBMC plans or that we are analyzing the problem.
118 - Set expectations for follow-up communications.
147 TO: openbmc-security@lists.ozlabs.org, openbmc@lists.ozlabs.org
156 https://github.com/openbmc/docs/blob/master/security/obmc-security-response-team.md
163 - https://bestpractices.coreinfrastructure.org/en/projects/34
164 - https://www.kernel.org/doc/html/v4.16/admin-guide/security-bugs.html
165 - https://oss-security.openwall.org/wiki/mailing-lists/distros
166 - [ISO/IEC 29147:2018 vulnerability disclosure](https://www.iso.org/standard/72311.html)
170 The security response team (SRT) is controlled by the OpenBMC Technical Steering
174 - Although individuals join the SRT, it is really organizations which join as
176 - Participate in their organization's SRT.
177 - Designate backup OpenBMC SRT members.
178 - Share OpenBMC security vulnerability information within their organization
180 - Membership is intended for organizations which have a vested interest in
182 - Organizations which have products or services built on OpenBMC which are
185 - Organizations which focus on BMC security research or security response.
186 - Evaluation of an organization may be based on its members' OpenBMC community
188 - Membership should not be granted without compelling reason. The intention is
192 The security response team uses the `openbmc-security at lists.ozlabs.org`
196 `https://lists.ozlabs.org/listinfo/openbmc-security`.
210 https://github.com/openbmc/docs/blob/master/security/how-to-report-a-security-vulnerability.md
216 openbmc-security@lists.ozlabs.org email list are by invitation only
220 https://github.com/openbmc/openbmc/wiki/Security-working-group.