[PATCH] docs: Add a basic security document

Heinrich Schuchardt xypron.glpk at gmx.de
Thu Nov 3 21:05:59 CET 2022


On 11/3/22 19:25, Tom Rini wrote:
> Based loosely on the Linux kernel
> Documentation/admin-guide/security-bugs.rst file, create a basic
> security document for U-Boot.  In sum, security issues should be
> disclosed in public on the mailing list if at all possible as an initial
> position.
>
> Signed-off-by: Tom Rini <trini at konsulko.com>
> ---
>   doc/develop/index.rst    |  1 +
>   doc/develop/security.rst | 32 ++++++++++++++++++++++++++++++++
>   2 files changed, 33 insertions(+)
>   create mode 100644 doc/develop/security.rst
>
> diff --git a/doc/develop/index.rst b/doc/develop/index.rst
> index 5934d9ffb115..04322efe59fd 100644
> --- a/doc/develop/index.rst
> +++ b/doc/develop/index.rst
> @@ -15,6 +15,7 @@ General
>      process
>      release_cycle
>      system_configuration
> +   security

Should we get this into alphabetic order?

>      sending_patches
>
>   Implementation
> diff --git a/doc/develop/security.rst b/doc/develop/security.rst
> new file mode 100644
> index 000000000000..84b130646f31
> --- /dev/null
> +++ b/doc/develop/security.rst
> @@ -0,0 +1,32 @@
> +.. SPDX-License-Identifier: GPL-2.0+:
> +
> +Handling of security vulnerabilities
> +====================================
> +
> +The U-Boot project takes security very seriously.  As such, we'd like to know
> +when a security bug is found so that it can be fixed and disclosed as quickly
> +as possible.
> +
> +Contact
> +-------
> +
> +The preferred initial point of contact is to send email to
> +`u-boot at lists.denx.de` and use `scripts/get_maintainers.pl` to also include any
> +relevant custodians. In addition, Tom Rini should be contacted at
> +`trini at konsulko.com`.
> +
> +CVE assignment
> +--------------
> +
> +The U-Boot project cannot directly assign CVEs, nor do we require them for
> +reports or fixes, as this can needlessly complicate the process and may delay
> +the bug handling. If a reporter wishes to have a CVE identifier assigned ahead
> +of public disclosure, they will need to coordinate this on their own.  When
> +such a CVE identifier is known before a patch is provided, it is desirable to
> +mention it in the commit message if the reporter agrees.
> +
> +Non-disclosure agreements
> +-------------------------
> +
> +The U-Boot project is not a formal body and therefore unable to enter any
> +non-disclosure agreements.

Otherwise
Reviewed-by: Heinrich Schuchardt <xypron.glpk at gmx.de>


More information about the U-Boot mailing list