1# How to report a security vulnerability
2
3This describes how you can report an OpenBMC security vulnerability
4privately to give the project time to address the problem before
5public disclosure.
6
7The main ideas are:
8 - You have information about a security problem which is not yet
9   publicly available.
10 - You want the problem fixed before public disclosure and
11   you are willing to help make that happen.
12 - You understand the problem will be publicly disclosed.
13
14To begin the process:
15 - Send an email to `openbmc-security@lists.ozlabs.org` with details
16   about the security problem such as:
17   - the version and configuration of OpenBMC the problem appears in
18   - how to reproduce the problem
19   - what are the symptoms
20
21The OpenBMC security response team will respond to you and work to
22address the problem.  Activities may include:
23 - Privately engage community members to understand and address the
24   problem.
25 - Work to determine the scope and severity of the problem,
26   such as [CVSS metrics](https://www.first.org/cvss/calculator/3.0).
27 - Work to create or identify an existing [CVE](http://cve.mitre.org/about/index.html).
28 - Coordinate workarounds and fixes with you and the community.
29 - Coordinate announcement details with you, such as timing or
30   how you want to be credited.
31 - Create an OpenBMC security advisory.
32
33Alternatives to this process:
34 - If the problem is not severe, please write an issue to the affected
35   repository or email the list.
36 - Join the OpenBMC community and fix the problem yourself.
37 - If you are unsure if the error is in OpenBMC (contrasted with
38   upstream projects such as the Linux kernel or downstream projects
39   such as a customized version of OpenBMC), please report it and we
40   will help you route it to the correct area.
41 - Discuss your topic in other [OpenBMC communication channels](https://github.com/openbmc/openbmc).
42