10a97a5d7SJoseph Reynolds# The OpenBMC security vulnerability reporting process 20a97a5d7SJoseph Reynolds 30a97a5d7SJoseph ReynoldsThis describes the OpenBMC security vulnerability reporting process 40a97a5d7SJoseph Reynoldswhich is intended to give the project time to address security 50a97a5d7SJoseph Reynoldsproblems before public disclosure. 60a97a5d7SJoseph Reynolds 70a97a5d7SJoseph ReynoldsThe main pieces are: 80a97a5d7SJoseph Reynolds - a procedure to privately report security vulnerabilities 90a97a5d7SJoseph Reynolds - a security response team to address reported vulnerabilities 100a97a5d7SJoseph Reynolds - the openbmc-security email address for the response team 110a97a5d7SJoseph Reynolds - guidelines for security response team members 120a97a5d7SJoseph Reynolds 130a97a5d7SJoseph ReynoldsThe basic workflow is: 140a97a5d7SJoseph Reynolds 1. A community member reports a problem privately to the security 15*106b09c1SJoseph Reynolds response team (and to the repository maintainers if known). 16*106b09c1SJoseph Reynolds 2. The responders (including the security response team, the 17*106b09c1SJoseph Reynolds repository maintainers, and the problem submitter) work to 18*106b09c1SJoseph Reynolds understand the problem. 19*106b09c1SJoseph Reynolds 3. The repository maintainer creates an OpenBMC security advisory 20*106b09c1SJoseph Reynolds which explains the problem, its severity, and how to protect your 21*106b09c1SJoseph Reynolds systems that were built on OpenBMC. 22*106b09c1SJoseph Reynolds 4. The responders privately engage community members to create 23*106b09c1SJoseph Reynolds workarounds and fixes and to negotiate disclosure dates. 24*106b09c1SJoseph Reynolds 5. The OpenBMC security advisory is published along with any 25*106b09c1SJoseph Reynolds accompanying CVEs. 260a97a5d7SJoseph Reynolds 270a97a5d7SJoseph ReynoldsNote that the OpenBMC security response team is distinct from the 280a97a5d7SJoseph ReynoldsOpenBMC security working group which remains completely open. 290a97a5d7SJoseph Reynolds 300a97a5d7SJoseph ReynoldsThe [How to privately report a security vulnerability](./how-to-report-a-security-vulnerability.md) 310a97a5d7SJoseph Reynoldsweb page explains how OpenBMC community members can report a security 320a97a5d7SJoseph Reynoldsvulnerability and get a fix for it before public announcement of the 330a97a5d7SJoseph Reynoldsvulnerability. 340a97a5d7SJoseph Reynolds 35*106b09c1SJoseph ReynoldsThe `openbmc-security at lists.ozlabs.org` email address is the primary 360a97a5d7SJoseph Reynoldscommunication vehicle between the person who reported the problem and 370a97a5d7SJoseph Reynoldsthe security response team, and the initial communication between the 380a97a5d7SJoseph Reynoldssecurity response team members. 390a97a5d7SJoseph Reynolds 400a97a5d7SJoseph ReynoldsThe [Guidelines for security response team members](./obmc-security-response-team-guidelines.md) 410a97a5d7SJoseph Reynoldscontain collected wisdom for the response team and community members 420a97a5d7SJoseph Reynoldswho are working to fix the problem. 43