1# The OpenBMC security vulnerability reporting process 2 3This describes the OpenBMC security vulnerability reporting process 4which is intended to give the project time to address security 5problems before public disclosure. 6 7The main pieces are: 8 - a procedure to privately report security vulnerabilities 9 - a security response team to address reported vulnerabilities 10 - the openbmc-security email address for the response team 11 - guidelines for security response team members 12 13The basic workflow is: 14 1. A community member reports a problem privately to the security 15 response team. 16 2. The response team works to understand the problem and privately 17 engages community members to resolve it. 18 3. Workarounds and fixes are created, reviewed, and approved. 19 4. The security response team creates an OpenBMC security advisory 20 which explains the problem, its severity, and how to protect 21 your systems that were built on OpenBMC. 22 23Note that the OpenBMC security response team is distinct from the 24OpenBMC security working group which remains completely open. 25 26The [How to privately report a security vulnerability](./how-to-report-a-security-vulnerability.md) 27web page explains how OpenBMC community members can report a security 28vulnerability and get a fix for it before public announcement of the 29vulnerability. 30 31The `openbmc-security@lists.ozlabs.org` email address is the primary 32communication vehicle between the person who reported the problem and 33the security response team, and the initial communication between the 34security response team members. 35 36The [Guidelines for security response team members](./obmc-security-response-team-guidelines.md) 37contain collected wisdom for the response team and community members 38who are working to fix the problem. 39