| Tom Rini | 541e68d | 2022-11-03 14:25:44 -0400 | [diff] [blame] | 1 | .. SPDX-License-Identifier: GPL-2.0+: |
| 2 | |
| 3 | Handling of security vulnerabilities |
| 4 | ==================================== |
| 5 | |
| 6 | The U-Boot project takes security very seriously. As such, we'd like to know |
| 7 | when a security bug is found so that it can be fixed and disclosed as quickly |
| 8 | as possible. |
| 9 | |
| 10 | Contact |
| 11 | ------- |
| 12 | |
| 13 | The preferred initial point of contact is to send email to |
| 14 | `u-boot@lists.denx.de` and use `scripts/get_maintainers.pl` to also include any |
| 15 | relevant custodians. In addition, Tom Rini should be contacted at |
| 16 | `trini@konsulko.com`. |
| 17 | |
| 18 | CVE assignment |
| 19 | -------------- |
| 20 | |
| 21 | The U-Boot project cannot directly assign CVEs, nor do we require them for |
| 22 | reports or fixes, as this can needlessly complicate the process and may delay |
| 23 | the bug handling. If a reporter wishes to have a CVE identifier assigned ahead |
| 24 | of public disclosure, they will need to coordinate this on their own. When |
| 25 | such a CVE identifier is known before a patch is provided, it is desirable to |
| 26 | mention it in the commit message if the reporter agrees. |
| 27 | |
| 28 | Non-disclosure agreements |
| 29 | ------------------------- |
| 30 | |
| 31 | The U-Boot project is not a formal body and therefore unable to enter any |
| 32 | non-disclosure agreements. |