109d4eaaeSJames Mihm# Security Policy 209d4eaaeSJames Mihm 309d4eaaeSJames Mihm## How to report a security vulnerability 409d4eaaeSJames Mihm 5f4febd00SPatrick WilliamsThis describes how you can report an OpenBMC security vulnerability privately to 6f4febd00SPatrick Williamsgive the project time to address the problem before public disclosure. 709d4eaaeSJames Mihm 809d4eaaeSJames MihmThe main ideas are: 9f4febd00SPatrick Williams 10f4febd00SPatrick Williams- You have information about a security problem which is not yet publicly 11f4febd00SPatrick Williams available. 12f4febd00SPatrick Williams- You want the problem fixed before public disclosure and you are willing to 13f4febd00SPatrick Williams help make that happen. 1409d4eaaeSJames Mihm- You understand the problem will eventually be publicly disclosed. 1509d4eaaeSJames Mihm 1609d4eaaeSJames MihmTo begin the process: 17f4febd00SPatrick Williams 18f4febd00SPatrick Williams- Send an email to `openbmc-security at lists.ozlabs.org` with details about the 19f4febd00SPatrick Williams security problem such as: 2009d4eaaeSJames Mihm - the version and configuration of OpenBMC the problem appears in 2109d4eaaeSJames Mihm - how to reproduce the problem 2209d4eaaeSJames Mihm - what are the symptoms 23f4febd00SPatrick Williams- As the problem reporter, you will be included in the email thread for the 24f4febd00SPatrick Williams problem. 2509d4eaaeSJames Mihm 26f4febd00SPatrick WilliamsThe OpenBMC security response team (SRT) will respond to you and work to address 27f4febd00SPatrick Williamsthe problem. Activities may include: 28f4febd00SPatrick Williams 29f4febd00SPatrick Williams- Privately engage community members to understand and address the problem. 30f4febd00SPatrick Williams Anyone brought onboard should be given a link to the OpenBMC [security 31f4febd00SPatrick Williams response team guidelines][]. 32*85706020SAndrew Geissler- Work to determine the scope and severity of the problem, such as [CVSS metrics][]. 3309d4eaaeSJames Mihm- Work to create or identify an existing [CVE][]. 3409d4eaaeSJames Mihm- Coordinate workarounds and fixes with you and the community. 35f4febd00SPatrick Williams- Coordinate announcement details with you, such as timing or how you want to be 36f4febd00SPatrick Williams credited. 3709d4eaaeSJames Mihm- Create an OpenBMC security advisory. 3809d4eaaeSJames Mihm 39*85706020SAndrew GeisslerPlease refer to the [CERT Guide to Coordinated Vulnerability Disclosure][], (SPECIAL 40*85706020SAndrew GeisslerREPORT CMU/SEI-2017-SR-022) for additional considerations. 4109d4eaaeSJames Mihm 4209d4eaaeSJames MihmAlternatives to this process: 43f4febd00SPatrick Williams 44f4febd00SPatrick Williams- If the problem is not severe, please write an issue to the affected repository 45f4febd00SPatrick Williams or email the list. 4609d4eaaeSJames Mihm- Join the OpenBMC community and fix the problem yourself. 47f4febd00SPatrick Williams- If you are unsure if the error is in OpenBMC (contrasted with upstream 48f4febd00SPatrick Williams projects such as the Linux kernel or downstream projects such as a customized 49f4febd00SPatrick Williams version of OpenBMC), please report it and we will help you route it to the 50f4febd00SPatrick Williams correct area. 51f4febd00SPatrick Williams- Discuss your topic in other 52f4febd00SPatrick Williams [OpenBMC communication channels](https://github.com/openbmc/openbmc). 5309d4eaaeSJames Mihm 5409d4eaaeSJames Mihm[security response team guidelines]: ./obmc-security-response-team-guidelines.md 55f4febd00SPatrick Williams[cvss metrics]: https://www.first.org/cvss/calculator/3.0 56f4febd00SPatrick Williams[cve]: http://cve.mitre.org/about/index.html 57f4febd00SPatrick Williams[cert guide to coordinated vulnerability disclosure]: 58f4febd00SPatrick Williams https://resources.sei.cmu.edu/asset_files/SpecialReport/2017_003_001_503340.pdf 59