1*09d4eaaeSJames Mihm# Security Policy 2*09d4eaaeSJames Mihm 3*09d4eaaeSJames Mihm 4*09d4eaaeSJames Mihm## How to report a security vulnerability 5*09d4eaaeSJames Mihm 6*09d4eaaeSJames MihmThis describes how you can report an OpenBMC security vulnerability 7*09d4eaaeSJames Mihmprivately to give the project time to address the problem before 8*09d4eaaeSJames Mihmpublic disclosure. 9*09d4eaaeSJames Mihm 10*09d4eaaeSJames MihmThe main ideas are: 11*09d4eaaeSJames Mihm - You have information about a security problem which is not yet 12*09d4eaaeSJames Mihm publicly available. 13*09d4eaaeSJames Mihm - You want the problem fixed before public disclosure and 14*09d4eaaeSJames Mihm you are willing to help make that happen. 15*09d4eaaeSJames Mihm - You understand the problem will eventually be publicly disclosed. 16*09d4eaaeSJames Mihm 17*09d4eaaeSJames MihmTo begin the process: 18*09d4eaaeSJames Mihm - Send an email to `openbmc-security at lists.ozlabs.org` with details 19*09d4eaaeSJames Mihm about the security problem such as: 20*09d4eaaeSJames Mihm - the version and configuration of OpenBMC the problem appears in 21*09d4eaaeSJames Mihm - how to reproduce the problem 22*09d4eaaeSJames Mihm - what are the symptoms 23*09d4eaaeSJames Mihm - As the problem reporter, you will be included in the email thread 24*09d4eaaeSJames Mihm for the problem. 25*09d4eaaeSJames Mihm 26*09d4eaaeSJames MihmThe OpenBMC security response team (SRT) will respond to you and work to 27*09d4eaaeSJames Mihmaddress the problem. Activities may include: 28*09d4eaaeSJames Mihm - Privately engage community members to understand and address the 29*09d4eaaeSJames Mihm problem. Anyone brought onboard should be given a link to the 30*09d4eaaeSJames Mihm OpenBMC [security response team guidelines][]. 31*09d4eaaeSJames Mihm - Work to determine the scope and severity of the problem, 32*09d4eaaeSJames Mihm such as [CVSS metrics][]. 33*09d4eaaeSJames Mihm - Work to create or identify an existing [CVE][]. 34*09d4eaaeSJames Mihm - Coordinate workarounds and fixes with you and the community. 35*09d4eaaeSJames Mihm - Coordinate announcement details with you, such as timing or 36*09d4eaaeSJames Mihm how you want to be credited. 37*09d4eaaeSJames Mihm - Create an OpenBMC security advisory. 38*09d4eaaeSJames Mihm 39*09d4eaaeSJames MihmPlease refer to the [CERT Guide to Coordinated Vulnerability Disclosure][], 40*09d4eaaeSJames Mihm(SPECIAL REPORT CMU/SEI-2017-SR-022) for additional considerations. 41*09d4eaaeSJames Mihm 42*09d4eaaeSJames MihmAlternatives to this process: 43*09d4eaaeSJames Mihm - If the problem is not severe, please write an issue to the affected 44*09d4eaaeSJames Mihm repository or email the list. 45*09d4eaaeSJames Mihm - Join the OpenBMC community and fix the problem yourself. 46*09d4eaaeSJames Mihm - If you are unsure if the error is in OpenBMC (contrasted with 47*09d4eaaeSJames Mihm upstream projects such as the Linux kernel or downstream projects 48*09d4eaaeSJames Mihm such as a customized version of OpenBMC), please report it and we 49*09d4eaaeSJames Mihm will help you route it to the correct area. 50*09d4eaaeSJames Mihm - Discuss your topic in other [OpenBMC communication channels](https://github.com/openbmc/openbmc). 51*09d4eaaeSJames Mihm 52*09d4eaaeSJames Mihm[security response team guidelines]: ./obmc-security-response-team-guidelines.md 53*09d4eaaeSJames Mihm[CVSS metrics]: https://www.first.org/cvss/calculator/3.0 54*09d4eaaeSJames Mihm[CVE]: http://cve.mitre.org/about/index.html 55*09d4eaaeSJames Mihm[CERT Guide to Coordinated Vulnerability Disclosure]: https://resources.sei.cmu.edu/asset_files/SpecialReport/2017_003_001_503340.pdf 56