# How to report a security vulnerability

This describes how you can report an OpenBMC security vulnerability
privately to give the project time to address the problem before
public disclosure.

The main ideas are:
 - You have information about a security problem which is not yet
   publicly available.
 - You want the problem fixed before public disclosure and
   you are willing to help make that happen.
 - You understand the problem will be publicly disclosed.

To begin the process:
 - Send an email to `openbmc-security@lists.ozlabs.org` with details
   about the security problem such as:
   - the version and configuration of OpenBMC the problem appears in
   - how to reproduce the problem
   - what are the symptoms

The OpenBMC security response team will respond to you and work to
address the problem.  Activities may include:
 - Privately engage community members to understand and address the
   problem.
 - Work to determine the scope and severity of the problem,
   such as [CVSS metrics](https://www.first.org/cvss/calculator/3.0).
 - Work to create or identify an existing [CVE](http://cve.mitre.org/about/index.html).
 - Coordinate workarounds and fixes with you and the community.
 - Coordinate announcement details with you, such as timing or
   how you want to be credited.
 - Create an OpenBMC security advisory.

Alternatives to this process:
 - If the problem is not severe, please write an issue to the affected
   repository or email the list.
 - Join the OpenBMC community and fix the problem yourself.
 - If you are unsure if the error is in OpenBMC (contrasted with
   upstream projects such as the Linux kernel or downstream projects
   such as a customized version of OpenBMC), please report it and we
   will help you route it to the correct area.
 - Discuss your topic in other [OpenBMC communication channels](https://github.com/openbmc/openbmc).