1# How to report a security vulnerability
2
3This describes how you can report an OpenBMC security vulnerability
4privately to give the project time to address the problem before
5public disclosure.
6
7The main ideas are:
8 - You have information about a security problem which is not yet
9   publicly available.
10 - You want the problem fixed before public disclosure and
11   you are willing to help make that happen.
12 - You understand the problem will eventually be publicly disclosed.
13
14To begin the process:
15 - Send an email to `openbmc-security at lists.ozlabs.org` with details
16   about the security problem such as:
17   - the version and configuration of OpenBMC the problem appears in
18   - how to reproduce the problem
19   - what are the symptoms
20 - As the problem reporter, you will be included in the email thread
21   for the problem.
22
23The OpenBMC security response team (SRT) will respond to you and work to
24address the problem.  Activities may include:
25 - Privately engage community members to understand and address the
26   problem.  Anyone brought onboard should be given a link to the
27   OpenBMC [security response team guidelines][].
28 - Work to determine the scope and severity of the problem,
29   such as [CVSS metrics][].
30 - Work to create or identify an existing [CVE][].
31 - Coordinate workarounds and fixes with you and the community.
32 - Coordinate announcement details with you, such as timing or
33   how you want to be credited.
34 - Create an OpenBMC security advisory.
35
36Please refer to the [CERT Guide to Coordinated Vulnerability Disclosure][],
37(SPECIAL REPORT CMU/SEI-2017-SR-022) for additional considerations.
38
39Alternatives to this process:
40 - If the problem is not severe, please write an issue to the affected
41   repository or email the list.
42 - Join the OpenBMC community and fix the problem yourself.
43 - If you are unsure if the error is in OpenBMC (contrasted with
44   upstream projects such as the Linux kernel or downstream projects
45   such as a customized version of OpenBMC), please report it and we
46   will help you route it to the correct area.
47 - Discuss your topic in other [OpenBMC communication channels](https://github.com/openbmc/openbmc).
48
49[security response team guidelines]: ./obmc-security-response-team-guidelines.md
50[CVSS metrics]: https://www.first.org/cvss/calculator/3.0
51[CVE]: http://cve.mitre.org/about/index.html
52[CERT Guide to Coordinated Vulnerability Disclosure]: https://resources.sei.cmu.edu/asset_files/SpecialReport/2017_003_001_503340.pdf
53