[PATCH] docs: Add a basic security document

Tom Rini trini at konsulko.com
Thu Nov 3 19:25:44 CET 2022


Based loosely on the Linux kernel
Documentation/admin-guide/security-bugs.rst file, create a basic
security document for U-Boot.  In sum, security issues should be
disclosed in public on the mailing list if at all possible as an initial
position.

Signed-off-by: Tom Rini <trini at konsulko.com>
---
 doc/develop/index.rst    |  1 +
 doc/develop/security.rst | 32 ++++++++++++++++++++++++++++++++
 2 files changed, 33 insertions(+)
 create mode 100644 doc/develop/security.rst

diff --git a/doc/develop/index.rst b/doc/develop/index.rst
index 5934d9ffb115..04322efe59fd 100644
--- a/doc/develop/index.rst
+++ b/doc/develop/index.rst
@@ -15,6 +15,7 @@ General
    process
    release_cycle
    system_configuration
+   security
    sending_patches
 
 Implementation
diff --git a/doc/develop/security.rst b/doc/develop/security.rst
new file mode 100644
index 000000000000..84b130646f31
--- /dev/null
+++ b/doc/develop/security.rst
@@ -0,0 +1,32 @@
+.. SPDX-License-Identifier: GPL-2.0+:
+
+Handling of security vulnerabilities
+====================================
+
+The U-Boot project takes security very seriously.  As such, we'd like to know
+when a security bug is found so that it can be fixed and disclosed as quickly
+as possible.
+
+Contact
+-------
+
+The preferred initial point of contact is to send email to
+`u-boot at lists.denx.de` and use `scripts/get_maintainers.pl` to also include any
+relevant custodians. In addition, Tom Rini should be contacted at
+`trini at konsulko.com`.
+
+CVE assignment
+--------------
+
+The U-Boot project cannot directly assign CVEs, nor do we require them for
+reports or fixes, as this can needlessly complicate the process and may delay
+the bug handling. If a reporter wishes to have a CVE identifier assigned ahead
+of public disclosure, they will need to coordinate this on their own.  When
+such a CVE identifier is known before a patch is provided, it is desirable to
+mention it in the commit message if the reporter agrees.
+
+Non-disclosure agreements
+-------------------------
+
+The U-Boot project is not a formal body and therefore unable to enter any
+non-disclosure agreements.
-- 
2.25.1



More information about the U-Boot mailing list