10a97a5d7SJoseph Reynolds# The OpenBMC security vulnerability reporting process 20a97a5d7SJoseph Reynolds 3*f4febd00SPatrick WilliamsThis describes the OpenBMC security vulnerability reporting process which is 4*f4febd00SPatrick Williamsintended to give the project time to address security problems before public 5*f4febd00SPatrick Williamsdisclosure. 60a97a5d7SJoseph Reynolds 70a97a5d7SJoseph ReynoldsThe main pieces are: 8*f4febd00SPatrick Williams 90a97a5d7SJoseph Reynolds- a procedure to privately report security vulnerabilities 100a97a5d7SJoseph Reynolds- a security response team to address reported vulnerabilities 110a97a5d7SJoseph Reynolds- the openbmc-security email address for the response team 120a97a5d7SJoseph Reynolds- guidelines for security response team members 130a97a5d7SJoseph Reynolds 140a97a5d7SJoseph ReynoldsThe basic workflow is: 150a97a5d7SJoseph Reynolds 16*f4febd00SPatrick Williams1. A community member reports a problem privately to the security response team 17*f4febd00SPatrick Williams (and to the repository maintainers if known). 18*f4febd00SPatrick Williams2. The responders (including the security response team, the repository 19*f4febd00SPatrick Williams maintainers, and the problem submitter) work to understand the problem. 20*f4febd00SPatrick Williams3. The repository maintainer creates an OpenBMC security advisory which 21*f4febd00SPatrick Williams explains the problem, its severity, and how to protect your systems that 22*f4febd00SPatrick Williams were built on OpenBMC. 23*f4febd00SPatrick Williams4. The responders privately engage community members to create workarounds and 24*f4febd00SPatrick Williams fixes and to negotiate disclosure dates. 25*f4febd00SPatrick Williams5. The OpenBMC security advisory is published along with any accompanying CVEs. 260a97a5d7SJoseph Reynolds 27*f4febd00SPatrick WilliamsNote that the OpenBMC security response team is distinct from the OpenBMC 28*f4febd00SPatrick Williamssecurity working group which remains completely open. 29*f4febd00SPatrick Williams 30*f4febd00SPatrick WilliamsThe 31*f4febd00SPatrick Williams[How to privately report a security vulnerability](./how-to-report-a-security-vulnerability.md) 320a97a5d7SJoseph Reynoldsweb page explains how OpenBMC community members can report a security 330a97a5d7SJoseph Reynoldsvulnerability and get a fix for it before public announcement of the 340a97a5d7SJoseph Reynoldsvulnerability. 350a97a5d7SJoseph Reynolds 36106b09c1SJoseph ReynoldsThe `openbmc-security at lists.ozlabs.org` email address is the primary 37*f4febd00SPatrick Williamscommunication vehicle between the person who reported the problem and the 38*f4febd00SPatrick Williamssecurity response team, and the initial communication between the security 39*f4febd00SPatrick Williamsresponse team members. 400a97a5d7SJoseph Reynolds 41*f4febd00SPatrick WilliamsThe 42*f4febd00SPatrick Williams[Guidelines for security response team members](./obmc-security-response-team-guidelines.md) 43*f4febd00SPatrick Williamscontain collected wisdom for the response team and community members who are 44*f4febd00SPatrick Williamsworking to fix the problem. 45