[PATCH] docs: Add a basic security document
Tom Rini
trini at konsulko.com
Thu Nov 3 22:20:18 CET 2022
On Thu, Nov 03, 2022 at 09:05:59PM +0100, Heinrich Schuchardt wrote:
> On 11/3/22 19:25, Tom Rini wrote:
> > Based loosely on the Linux kernel
> > Documentation/admin-guide/security-bugs.rst file, create a basic
> > security document for U-Boot. In sum, security issues should be
> > disclosed in public on the mailing list if at all possible as an initial
> > position.
> >
> > Signed-off-by: Tom Rini <trini at konsulko.com>
> > ---
> > doc/develop/index.rst | 1 +
> > doc/develop/security.rst | 32 ++++++++++++++++++++++++++++++++
> > 2 files changed, 33 insertions(+)
> > create mode 100644 doc/develop/security.rst
> >
> > diff --git a/doc/develop/index.rst b/doc/develop/index.rst
> > index 5934d9ffb115..04322efe59fd 100644
> > --- a/doc/develop/index.rst
> > +++ b/doc/develop/index.rst
> > @@ -15,6 +15,7 @@ General
> > process
> > release_cycle
> > system_configuration
> > + security
>
> Should we get this into alphabetic order?
>
Whoops, can you fix when applying please?
> > sending_patches
> >
> > Implementation
> > diff --git a/doc/develop/security.rst b/doc/develop/security.rst
> > new file mode 100644
> > index 000000000000..84b130646f31
> > --- /dev/null
> > +++ b/doc/develop/security.rst
> > @@ -0,0 +1,32 @@
> > +.. SPDX-License-Identifier: GPL-2.0+:
> > +
> > +Handling of security vulnerabilities
> > +====================================
> > +
> > +The U-Boot project takes security very seriously. As such, we'd like to know
> > +when a security bug is found so that it can be fixed and disclosed as quickly
> > +as possible.
> > +
> > +Contact
> > +-------
> > +
> > +The preferred initial point of contact is to send email to
> > +`u-boot at lists.denx.de` and use `scripts/get_maintainers.pl` to also include any
> > +relevant custodians. In addition, Tom Rini should be contacted at
> > +`trini at konsulko.com`.
> > +
> > +CVE assignment
> > +--------------
> > +
> > +The U-Boot project cannot directly assign CVEs, nor do we require them for
> > +reports or fixes, as this can needlessly complicate the process and may delay
> > +the bug handling. If a reporter wishes to have a CVE identifier assigned ahead
> > +of public disclosure, they will need to coordinate this on their own. When
> > +such a CVE identifier is known before a patch is provided, it is desirable to
> > +mention it in the commit message if the reporter agrees.
> > +
> > +Non-disclosure agreements
> > +-------------------------
> > +
> > +The U-Boot project is not a formal body and therefore unable to enter any
> > +non-disclosure agreements.
>
> Otherwise
> Reviewed-by: Heinrich Schuchardt <xypron.glpk at gmx.de>
--
Tom
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 659 bytes
Desc: not available
URL: <https://lists.denx.de/pipermail/u-boot/attachments/20221103/f649e027/attachment.sig>
More information about the U-Boot
mailing list