docs/security/obmc-security-response-team.md

# The OpenBMC security vulnerability reporting process

This describes the OpenBMC security vulnerability reporting process
which is intended to give the project time to address security
problems before public disclosure.

The main pieces are:
 - a procedure to privately report security vulnerabilities
 - a security response team to address reported vulnerabilities
 - the openbmc-security email address for the response team
 - guidelines for security response team members

The basic workflow is:
 1. A community member reports a problem privately to the security
    response team (and to the repository maintainers if known).
 2. The responders (including the security response team, the
    repository maintainers, and the problem submitter) work to
    understand the problem.
 3. The repository maintainer creates an OpenBMC security advisory
    which explains the problem, its severity, and how to protect your
    systems that were built on OpenBMC.
 4. The responders privately engage community members to create
    workarounds and fixes and to negotiate disclosure dates.
 5. The OpenBMC security advisory is published along with any
    accompanying CVEs.

Note that the OpenBMC security response team is distinct from the
OpenBMC security working group which remains completely open.

The [How to privately report a security vulnerability](./how-to-report-a-security-vulnerability.md)
web page explains how OpenBMC community members can report a security
vulnerability and get a fix for it before public announcement of the
vulnerability.

The `openbmc-security at lists.ozlabs.org` email address is the primary
communication vehicle between the person who reported the problem and
the security response team, and the initial communication between the
security response team members.

The [Guidelines for security response team members](./obmc-security-response-team-guidelines.md)
contain collected wisdom for the response team and community members
who are working to fix the problem.