101e72e8aSJoseph Reynolds# How to report a security vulnerability 201e72e8aSJoseph Reynolds 3f4febd00SPatrick WilliamsThis describes how you can report an OpenBMC security vulnerability privately to 4f4febd00SPatrick Williamsgive the project time to address the problem before public disclosure. 501e72e8aSJoseph Reynolds 601e72e8aSJoseph ReynoldsThe main ideas are: 7f4febd00SPatrick Williams 8106b09c1SJoseph Reynolds- You have information about a security problem or vulnerability which is not 9106b09c1SJoseph Reynolds yet publicly available. 10f4febd00SPatrick Williams- You want the problem fixed before public disclosure and you are willing to 11f4febd00SPatrick Williams help make that happen. 1220433f04SJoseph Reynolds- You understand the problem will eventually be publicly disclosed. 1301e72e8aSJoseph Reynolds 14106b09c1SJoseph ReynoldsTo begin the process: Privately contact the OpenBMC security response team and 15106b09c1SJoseph Reynolds(if known) the project maintainer: 16f4febd00SPatrick Williams 17106b09c1SJoseph Reynolds- Suggest sending an email. Use `openbmc-security at lists.ozlabs.org`. 18106b09c1SJoseph Reynolds- If you know which source code repository is affected, find the repository 19f4febd00SPatrick Williams owner or maintainer contact information in the OWNERS or MAINTAINERS file. If 20f4febd00SPatrick Williams not, the security response team will help route the problem. 21106b09c1SJoseph Reynolds- Include details about the security problem such as: 22106b09c1SJoseph Reynolds - The version and configuration of OpenBMC the problem appears in. 23106b09c1SJoseph Reynolds - How to reproduce the problem. 24106b09c1SJoseph Reynolds - What are the symptoms. 25106b09c1SJoseph Reynolds- As the problem reporter, you will be included in the problem response. 2601e72e8aSJoseph Reynolds 27f4febd00SPatrick WilliamsPlease note the OpenBMC project has multiple source code repositories. Each has 28f4febd00SPatrick Williamsseparate owners. If you do not know which repository is affected, the owner or 29f4febd00SPatrick Williamsthe security response team can help you route the problem. 30106b09c1SJoseph Reynolds 31106b09c1SJoseph ReynoldsWhen the project owners get a new security problem, they will create a [GitHub 32f4febd00SPatrick Williamssecurity advisory][] in their repository and begin work. The advisory has draft 33f4febd00SPatrick Williamsstatus which means only the collaborators can see it. Collaborators should be 34f4febd00SPatrick Williamsadded as follows: 35f4febd00SPatrick Williams 36106b09c1SJoseph Reynolds- The problem reporter. 37106b09c1SJoseph Reynolds- The OpenBMC security response team. 38106b09c1SJoseph Reynolds- Developers responsible for fixing the problem. 39106b09c1SJoseph Reynolds 40106b09c1SJoseph ReynoldsThe collaborators work to resolve the problem. Activities may include: 41f4febd00SPatrick Williams 42f4febd00SPatrick Williams- The OpenBMC [CVE Numbering Authority (CNA)][] (members of the OpenBMC security 43f4febd00SPatrick Williams response team) will help clarify the problem and assign CVEs. 44f4febd00SPatrick Williams- Privately engage community members to understand and address the problem. 45f4febd00SPatrick Williams Anyone brought onboard should be given a link to the OpenBMC [security 46f4febd00SPatrick Williams response team guidelines][]. 47*85706020SAndrew Geissler- Work to determine the scope and severity of the problem, such as [CVSS metrics][]. 4801e72e8aSJoseph Reynolds- Coordinate workarounds and fixes with you and the community. 49f4febd00SPatrick Williams- Coordinate announcement details with you, such as timing or how you want to be 50f4febd00SPatrick Williams credited. 51f4febd00SPatrick Williams- At the agreed time, publish the OpenBMC security advisory, reveal the fix, and 52f4febd00SPatrick Williams publish the CVE. 5301e72e8aSJoseph Reynolds 54*85706020SAndrew GeisslerPlease refer to the [CERT Guide to Coordinated Vulnerability Disclosure][], (SPECIAL 55*85706020SAndrew GeisslerREPORT CMU/SEI-2017-SR-022) for additional considerations. 5620433f04SJoseph Reynolds 5701e72e8aSJoseph ReynoldsAlternatives to this process: 58f4febd00SPatrick Williams 59f4febd00SPatrick Williams- If the problem is not severe, please write an issue to the affected repository 60f4febd00SPatrick Williams or email the list. 6101e72e8aSJoseph Reynolds- Join the OpenBMC community and fix the problem yourself. 62f4febd00SPatrick Williams- If you are unsure if the error is in OpenBMC (contrasted with upstream 63f4febd00SPatrick Williams projects such as the Linux kernel or downstream projects such as a customized 64f4febd00SPatrick Williams version of OpenBMC), please report it and we will help you route it to the 65f4febd00SPatrick Williams correct area. 66f4febd00SPatrick Williams- Discuss your topic in other 67f4febd00SPatrick Williams [OpenBMC communication channels](https://github.com/openbmc/openbmc). 6820433f04SJoseph Reynolds 6920433f04SJoseph Reynolds[security response team guidelines]: ./obmc-security-response-team-guidelines.md 70f4febd00SPatrick Williams[cvss metrics]: https://www.first.org/cvss/calculator/3.0 71f4febd00SPatrick Williams[cve]: http://cve.mitre.org/about/index.html 72f4febd00SPatrick Williams[cert guide to coordinated vulnerability disclosure]: 73f4febd00SPatrick Williams https://resources.sei.cmu.edu/asset_files/SpecialReport/2017_003_001_503340.pdf 74f4febd00SPatrick Williams[github security advisory]: 75f4febd00SPatrick Williams https://docs.github.com/en/code-security/repository-security-advisories/creating-a-repository-security-advisory 76f4febd00SPatrick Williams[cve numbering authority (cna)]: https://www.cve.org/ProgramOrganization/CNAs 77