1# Security Policy 2 3## How to report a security vulnerability 4 5This describes how you can report an OpenBMC security vulnerability privately to 6give the project time to address the problem before public disclosure. 7 8The main ideas are: 9 10- You have information about a security problem which is not yet publicly 11 available. 12- You want the problem fixed before public disclosure and you are willing to 13 help make that happen. 14- You understand the problem will eventually be publicly disclosed. 15 16To begin the process: 17 18- Send an email to `openbmc-security at lists.ozlabs.org` with details about the 19 security problem such as: 20 - the version and configuration of OpenBMC the problem appears in 21 - how to reproduce the problem 22 - what are the symptoms 23- As the problem reporter, you will be included in the email thread for the 24 problem. 25 26The OpenBMC security response team (SRT) will respond to you and work to address 27the problem. Activities may include: 28 29- Privately engage community members to understand and address the problem. 30 Anyone brought onboard should be given a link to the OpenBMC [security 31 response team guidelines][]. 32- Work to determine the scope and severity of the problem, such as [CVSS 33 metrics][]. 34- Work to create or identify an existing [CVE][]. 35- Coordinate workarounds and fixes with you and the community. 36- Coordinate announcement details with you, such as timing or how you want to be 37 credited. 38- Create an OpenBMC security advisory. 39 40Please refer to the [CERT Guide to Coordinated Vulnerability Disclosure][], 41(SPECIAL REPORT CMU/SEI-2017-SR-022) for additional considerations. 42 43Alternatives to this process: 44 45- If the problem is not severe, please write an issue to the affected repository 46 or email the list. 47- Join the OpenBMC community and fix the problem yourself. 48- If you are unsure if the error is in OpenBMC (contrasted with upstream 49 projects such as the Linux kernel or downstream projects such as a customized 50 version of OpenBMC), please report it and we will help you route it to the 51 correct area. 52- Discuss your topic in other 53 [OpenBMC communication channels](https://github.com/openbmc/openbmc). 54 55[security response team guidelines]: ./obmc-security-response-team-guidelines.md 56[cvss metrics]: https://www.first.org/cvss/calculator/3.0 57[cve]: http://cve.mitre.org/about/index.html 58[cert guide to coordinated vulnerability disclosure]: 59 https://resources.sei.cmu.edu/asset_files/SpecialReport/2017_003_001_503340.pdf 60