summaryrefslogtreecommitdiff
path: root/doc
diff options
context:
space:
mode:
authorTom Rini <trini@konsulko.com>2022-11-03 14:25:44 -0400
committerHeinrich Schuchardt <heinrich.schuchardt@canonical.com>2022-11-06 10:50:04 +0100
commit541e68d0ee61cb7141546481371b4cda2c33cf5e (patch)
tree2849253dc719870f293e8a3dcf46c89527b817b9 /doc
parentf67cc2f05676da86a3c591f1938393439a47a4af (diff)
downloadu-boot-541e68d0ee61cb7141546481371b4cda2c33cf5e.tar.gz
docs: Add a basic security document
Based loosely on the Linux kernel Documentation/admin-guide/security-bugs.rst file, create a basic security document for U-Boot. In sum, security issues should be disclosed in public on the mailing list if at all possible as an initial position. Signed-off-by: Tom Rini <trini@konsulko.com> Reviewed-by: Simon Glass <sjg@chromium.org> Reviewed-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
Diffstat (limited to 'doc')
-rw-r--r--doc/develop/index.rst3
-rw-r--r--doc/develop/security.rst32
2 files changed, 34 insertions, 1 deletions
diff --git a/doc/develop/index.rst b/doc/develop/index.rst
index 5934d9ffb1..97c526e997 100644
--- a/doc/develop/index.rst
+++ b/doc/develop/index.rst
@@ -14,8 +14,9 @@ General
patman
process
release_cycle
- system_configuration
+ security
sending_patches
+ system_configuration
Implementation
--------------
diff --git a/doc/develop/security.rst b/doc/develop/security.rst
new file mode 100644
index 0000000000..84b130646f
--- /dev/null
+++ b/doc/develop/security.rst
@@ -0,0 +1,32 @@
+.. SPDX-License-Identifier: GPL-2.0+:
+
+Handling of security vulnerabilities
+====================================
+
+The U-Boot project takes security very seriously. As such, we'd like to know
+when a security bug is found so that it can be fixed and disclosed as quickly
+as possible.
+
+Contact
+-------
+
+The preferred initial point of contact is to send email to
+`u-boot@lists.denx.de` and use `scripts/get_maintainers.pl` to also include any
+relevant custodians. In addition, Tom Rini should be contacted at
+`trini@konsulko.com`.
+
+CVE assignment
+--------------
+
+The U-Boot project cannot directly assign CVEs, nor do we require them for
+reports or fixes, as this can needlessly complicate the process and may delay
+the bug handling. If a reporter wishes to have a CVE identifier assigned ahead
+of public disclosure, they will need to coordinate this on their own. When
+such a CVE identifier is known before a patch is provided, it is desirable to
+mention it in the commit message if the reporter agrees.
+
+Non-disclosure agreements
+-------------------------
+
+The U-Boot project is not a formal body and therefore unable to enter any
+non-disclosure agreements.