1*ac13d5f3SPatrick Williams.. SPDX-License-Identifier: CC-BY-SA-2.0-UK 2*ac13d5f3SPatrick Williams 3*ac13d5f3SPatrick WilliamsDealing with Vulnerability Reports 4*ac13d5f3SPatrick Williams********************************** 5*ac13d5f3SPatrick Williams 6*ac13d5f3SPatrick WilliamsThe Yocto Project and OpenEmbedded are open-source, community-based projects 7*ac13d5f3SPatrick Williamsused in numerous products. They assemble multiple other open-source projects, 8*ac13d5f3SPatrick Williamsand need to handle security issues and practices both internal (in the code 9*ac13d5f3SPatrick Williamsmaintained by both projects), and external (maintained by other projects and 10*ac13d5f3SPatrick Williamsorganizations). 11*ac13d5f3SPatrick Williams 12*ac13d5f3SPatrick WilliamsThis manual assembles security-related information concerning the whole 13*ac13d5f3SPatrick Williamsecosystem. It includes information on reporting a potential security issue, 14*ac13d5f3SPatrick Williamsthe operation of the YP Security team and how to contribute in the 15*ac13d5f3SPatrick Williamsrelated code. It is written to be useful for both security researchers and 16*ac13d5f3SPatrick WilliamsYP developers. 17*ac13d5f3SPatrick Williams 18*ac13d5f3SPatrick WilliamsHow to report a potential security vulnerability? 19*ac13d5f3SPatrick Williams================================================= 20*ac13d5f3SPatrick Williams 21*ac13d5f3SPatrick WilliamsIf you would like to report a public issue (for example, one with a released 22*ac13d5f3SPatrick WilliamsCVE number), please report it using the 23*ac13d5f3SPatrick Williams:yocto_bugs:`Security Bugzilla </enter_bug.cgi?product=Security>`. 24*ac13d5f3SPatrick Williams 25*ac13d5f3SPatrick WilliamsIf you are dealing with a not-yet-released issue, or an urgent one, please send 26*ac13d5f3SPatrick Williamsa message to security AT yoctoproject DOT org, including as many details as 27*ac13d5f3SPatrick Williamspossible: the layer or software module affected, the recipe and its version, 28*ac13d5f3SPatrick Williamsand any example code, if available. This mailing list is monitored by the 29*ac13d5f3SPatrick WilliamsYocto Project Security team. 30*ac13d5f3SPatrick Williams 31*ac13d5f3SPatrick WilliamsFor each layer, you might also look for specific instructions (if any) for 32*ac13d5f3SPatrick Williamsreporting potential security issues in the specific ``SECURITY.md`` file at the 33*ac13d5f3SPatrick Williamsroot of the repository. Instructions on how and where submit a patch are 34*ac13d5f3SPatrick Williamsusually available in ``README.md``. If this is your first patch to the 35*ac13d5f3SPatrick WilliamsYocto Project/OpenEmbedded, you might want to have a look into the 36*ac13d5f3SPatrick WilliamsContributor's Manual section 37*ac13d5f3SPatrick Williams":ref:`contributor-guide/submit-changes:preparing changes for submission`". 38*ac13d5f3SPatrick Williams 39*ac13d5f3SPatrick WilliamsBranches maintained with security fixes 40*ac13d5f3SPatrick Williams--------------------------------------- 41*ac13d5f3SPatrick Williams 42*ac13d5f3SPatrick WilliamsSee the 43*ac13d5f3SPatrick Williams:ref:`Release process <ref-manual/release-process:Stable Release Process>` 44*ac13d5f3SPatrick Williamsdocumentation for details regarding the policies and maintenance of stable 45*ac13d5f3SPatrick Williamsbranches. 46*ac13d5f3SPatrick Williams 47*ac13d5f3SPatrick WilliamsThe :yocto_wiki:`Releases page </Releases>` contains a list 48*ac13d5f3SPatrick Williamsof all releases of the Yocto Project. Versions in gray are no longer actively 49*ac13d5f3SPatrick Williamsmaintained with security patches, but well-tested patches may still be accepted 50*ac13d5f3SPatrick Williamsfor them for significant issues. 51*ac13d5f3SPatrick Williams 52*ac13d5f3SPatrick WilliamsSecurity-related discussions at the Yocto Project 53*ac13d5f3SPatrick Williams------------------------------------------------- 54*ac13d5f3SPatrick Williams 55*ac13d5f3SPatrick WilliamsWe have set up two security-related mailing lists: 56*ac13d5f3SPatrick Williams 57*ac13d5f3SPatrick Williams - Public List: yocto [dash] security [at] yoctoproject[dot] org 58*ac13d5f3SPatrick Williams 59*ac13d5f3SPatrick Williams This is a public mailing list for anyone to subscribe to. This list is an 60*ac13d5f3SPatrick Williams open list to discuss public security issues/patches and security-related 61*ac13d5f3SPatrick Williams initiatives. For more information, including subscription information, 62*ac13d5f3SPatrick Williams please see the :yocto_lists:`yocto-security mailing list info page </g/yocto-security>`. 63*ac13d5f3SPatrick Williams 64*ac13d5f3SPatrick Williams - Private List: security [at] yoctoproject [dot] org 65*ac13d5f3SPatrick Williams 66*ac13d5f3SPatrick Williams This is a private mailing list for reporting non-published potential 67*ac13d5f3SPatrick Williams vulnerabilities. The list is monitored by the Yocto Project Security team. 68*ac13d5f3SPatrick Williams 69*ac13d5f3SPatrick Williams 70*ac13d5f3SPatrick WilliamsWhat you should do if you find a security vulnerability 71*ac13d5f3SPatrick Williams------------------------------------------------------- 72*ac13d5f3SPatrick Williams 73*ac13d5f3SPatrick WilliamsIf you find a security flaw: a crash, an information leakage, or anything that 74*ac13d5f3SPatrick Williamscan have a security impact if exploited in any Open Source software built or 75*ac13d5f3SPatrick Williamsused by the Yocto Project, please report this to the Yocto Project Security 76*ac13d5f3SPatrick WilliamsTeam. If you prefer to contact the upstream project directly, please send a 77*ac13d5f3SPatrick Williamscopy to the security team at the Yocto Project as well. If you believe this is 78*ac13d5f3SPatrick Williamshighly sensitive information, please report the vulnerability in a secure way, 79*ac13d5f3SPatrick Williamsi.e. encrypt the email and send it to the private list. This ensures that 80*ac13d5f3SPatrick Williamsthe exploit is not leaked and exploited before a response/fix has been generated. 81*ac13d5f3SPatrick Williams 82*ac13d5f3SPatrick WilliamsSecurity team 83*ac13d5f3SPatrick Williams============= 84*ac13d5f3SPatrick Williams 85*ac13d5f3SPatrick WilliamsThe Yocto Project/OpenEmbedded security team coordinates the work on security 86*ac13d5f3SPatrick Williamssubjects in the project. All general discussion takes place publicly. The 87*ac13d5f3SPatrick WilliamsSecurity Team only uses confidential communication tools to deal with private 88*ac13d5f3SPatrick Williamsvulnerability reports before they are released. 89*ac13d5f3SPatrick Williams 90*ac13d5f3SPatrick WilliamsSecurity team appointment 91*ac13d5f3SPatrick Williams------------------------- 92*ac13d5f3SPatrick Williams 93*ac13d5f3SPatrick WilliamsThe Yocto Project Security Team consists of at least three members. When new 94*ac13d5f3SPatrick Williamsmembers are needed, the Yocto Project Technical Steering Committee (YP TSC) 95*ac13d5f3SPatrick Williamsasks for nominations by public channels including a nomination deadline. 96*ac13d5f3SPatrick WilliamsSelf-nominations are possible. When the limit time is 97*ac13d5f3SPatrick Williamsreached, the YP TSC posts the list of candidates for the comments of project 98*ac13d5f3SPatrick Williamsparticipants and developers. Comments may be sent publicly or privately to the 99*ac13d5f3SPatrick WilliamsYP and OE TSCs. The candidates are approved by both YP TSC and OpenEmbedded 100*ac13d5f3SPatrick WilliamsTechnical Steering Committee (OE TSC) and the final list of the team members 101*ac13d5f3SPatrick Williamsis announced publicly. The aim is to have people representing technical 102*ac13d5f3SPatrick Williamsleadership, security knowledge and infrastructure present with enough people 103*ac13d5f3SPatrick Williamsto provide backup/coverage but keep the notification list small enough to 104*ac13d5f3SPatrick Williamsminimize information risk and maintain trust. 105*ac13d5f3SPatrick Williams 106*ac13d5f3SPatrick WilliamsYP Security Team members may resign at any time. 107*ac13d5f3SPatrick Williams 108*ac13d5f3SPatrick WilliamsSecurity Team Operations 109*ac13d5f3SPatrick Williams------------------------ 110*ac13d5f3SPatrick Williams 111*ac13d5f3SPatrick WilliamsThe work of the Security Team might require high confidentiality. Team members 112*ac13d5f3SPatrick Williamsare individuals selected by merit and do not represent the companies they work 113*ac13d5f3SPatrick Williamsfor. They do not share information about confidential issues outside of the team 114*ac13d5f3SPatrick Williamsand do not hint about ongoing embargoes. 115*ac13d5f3SPatrick Williams 116*ac13d5f3SPatrick WilliamsTeam members can bring in domain experts as needed. Those people should be 117*ac13d5f3SPatrick Williamsadded to individual issues only and adhere to the same standards as the YP 118*ac13d5f3SPatrick WilliamsSecurity Team. 119*ac13d5f3SPatrick Williams 120*ac13d5f3SPatrick WilliamsThe YP security team organizes its meetings and communication as needed. 121*ac13d5f3SPatrick Williams 122*ac13d5f3SPatrick WilliamsWhen the YP Security team receives a report about a potential security 123*ac13d5f3SPatrick Williamsvulnerability, they quickly analyze and notify the reporter of the result. 124*ac13d5f3SPatrick WilliamsThey might also request more information. 125*ac13d5f3SPatrick Williams 126*ac13d5f3SPatrick WilliamsIf the issue is confirmed and affects the code maintained by the YP, they 127*ac13d5f3SPatrick Williamsconfidentially notify maintainers of that code and work with them to prepare 128*ac13d5f3SPatrick Williamsa fix. 129*ac13d5f3SPatrick Williams 130*ac13d5f3SPatrick WilliamsIf the issue is confirmed and affects an upstream project, the YP security team 131*ac13d5f3SPatrick Williamsnotifies the project. Usually, the upstream project analyzes the problem again. 132*ac13d5f3SPatrick WilliamsIf they deem it a real security problem in their software, they develop and 133*ac13d5f3SPatrick Williamsrelease a fix following their security policy. They may want to include the 134*ac13d5f3SPatrick Williamsoriginal reporter in the loop. There is also sometimes some coordination for 135*ac13d5f3SPatrick Williamshandling patches, backporting patches etc, or just understanding the problem 136*ac13d5f3SPatrick Williamsor what caused it. 137*ac13d5f3SPatrick Williams 138*ac13d5f3SPatrick WilliamsWhen the fix is publicly available, the YP security team member or the 139*ac13d5f3SPatrick Williamspackage maintainer sends patches against the YP code base, following usual 140*ac13d5f3SPatrick Williamsprocedures, including public code review. 141*ac13d5f3SPatrick Williams 142*ac13d5f3SPatrick WilliamsWhat Yocto Security Team does when it receives a security vulnerability 143*ac13d5f3SPatrick Williams----------------------------------------------------------------------- 144*ac13d5f3SPatrick Williams 145*ac13d5f3SPatrick WilliamsThe YP Security Team team performs a quick analysis and would usually report 146*ac13d5f3SPatrick Williamsthe flaw to the upstream project. Normally the upstream project analyzes the 147*ac13d5f3SPatrick Williamsproblem. If they deem it a real security problem in their software, they 148*ac13d5f3SPatrick Williamsdevelop and release a fix following their own security policy. They may want 149*ac13d5f3SPatrick Williamsto include the original reporter in the loop. There is also sometimes some 150*ac13d5f3SPatrick Williamscoordination for handling patches, backporting patches etc, or just 151*ac13d5f3SPatrick Williamsunderstanding the problem or what caused it. 152*ac13d5f3SPatrick Williams 153*ac13d5f3SPatrick WilliamsThe security policy of the upstream project might include a notification to 154*ac13d5f3SPatrick WilliamsLinux distributions or other important downstream projects in advance to 155*ac13d5f3SPatrick Williamsdiscuss coordinated disclosure. These mailing lists are normally non-public. 156*ac13d5f3SPatrick Williams 157*ac13d5f3SPatrick WilliamsWhen the upstream project releases a version with the fix, they are responsible 158*ac13d5f3SPatrick Williamsfor contacting `Mitre <https://www.cve.org/>`__ to get a CVE number assigned and 159*ac13d5f3SPatrick Williamsthe CVE record published. 160*ac13d5f3SPatrick Williams 161*ac13d5f3SPatrick WilliamsIf an upstream project does not respond quickly 162*ac13d5f3SPatrick Williams----------------------------------------------- 163*ac13d5f3SPatrick Williams 164*ac13d5f3SPatrick WilliamsIf an upstream project does not fix the problem in a reasonable time, 165*ac13d5f3SPatrick Williamsthe Yocto's Security Team will contact other interested parties (usually 166*ac13d5f3SPatrick Williamsother distributions) in the community and together try to solve the 167*ac13d5f3SPatrick Williamsvulnerability as quickly as possible. 168*ac13d5f3SPatrick Williams 169*ac13d5f3SPatrick WilliamsThe Yocto Project Security team adheres to the 90 days disclosure policy 170*ac13d5f3SPatrick Williamsby default. An increase of the embargo time is possible when necessary. 171*ac13d5f3SPatrick Williams 172*ac13d5f3SPatrick WilliamsCurrent Security Team members 173*ac13d5f3SPatrick Williams----------------------------- 174*ac13d5f3SPatrick Williams 175*ac13d5f3SPatrick WilliamsFor secure communications, please send your messages encrypted using the GPG 176*ac13d5f3SPatrick Williamskeys. Remember, message headers are not encrypted so do not include sensitive 177*ac13d5f3SPatrick Williamsinformation in the subject line. 178*ac13d5f3SPatrick Williams 179*ac13d5f3SPatrick Williams - Ross Burton: <ross@burtonini.com> `Public key <https://keys.openpgp.org/search?q=ross%40burtonini.com>`__ 180*ac13d5f3SPatrick Williams 181*ac13d5f3SPatrick Williams - Michael Halstead: <mhalstead [at] linuxfoundation [dot] org> 182*ac13d5f3SPatrick Williams `Public key <https://pgp.mit.edu/pks/lookup?op=vindex&search=0x3373170601861969>`__ 183*ac13d5f3SPatrick Williams or `Public key <https://keyserver.ubuntu.com/pks/lookup?op=get&search=0xd1f2407285e571ed12a407a73373170601861969>`__ 184*ac13d5f3SPatrick Williams 185*ac13d5f3SPatrick Williams - Richard Purdie: <richard.purdie@linuxfoundation.org> `Public key <https://keys.openpgp.org/search?q=richard.purdie%40linuxfoundation.org>`__ 186*ac13d5f3SPatrick Williams 187*ac13d5f3SPatrick Williams - Marta Rybczynska: <marta DOT rybczynska [at] syslinbit [dot] com> `Public key <https://keys.openpgp.org/search?q=marta.rybczynska@syslinbit.com>`__ 188*ac13d5f3SPatrick Williams 189*ac13d5f3SPatrick Williams - Steve Sakoman: <steve [at] sakoman [dot] com> `Public key <https://keys.openpgp.org/search?q=steve%40sakoman.com>`__ 190