TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mcuboot / dc0ca086f98432b39a482c3ddcf214b9a44c2152^! / . / docs / SECURITY.md
commitdc0ca086f98432b39a482c3ddcf214b9a44c2152[log] [tgz]
authorRoman Okhrimenko <roman.okhrimenko@infineon.com>Wed Jun 21 20:49:51 2023 +0300
committerRoman Okhrimenko <roman.okhrimenko@infineon.com>Thu Jun 22 08:43:20 2023 +0300
tree5eebf0e798892f5fbae194362ba497cf36b8fd84
parent2516562fe35d0bc48d60d129324a683fba2f0480 [diff] [blame]
Infineon: Switch to 1.9.0 code base, add xmc7000 family support, refactor memory layer

diff --git a/docs/SECURITY.md b/docs/SECURITY.md
index aa50858..9eac59f 100644
--- a/docs/SECURITY.md
+++ b/docs/SECURITY.md

@@ -1,49 +1,54 @@
-# MCUboot project security policy
-
-## Reporting Security Issues
+# Project security policy
 
 The MCUboot team takes security, vulnerabilities, and weaknesses
 seriously.
 
-Security issues should be sent to the current maintainers of the
-project:
+## Reporting security issues
+
+You should report security issues either using our page at [Hackerone]
+(https://hackerone.com/mcuboot?type=team) or contacting directly the
+current maintainers of the project:
 
 - David Brown: davidb@davidb.org or david.brown@linaro.org
 - Fabio Utzig: utzig@apache.org
 
-If you wish to send encrypted email, you may use these PGP keys:
+If you wish to send an encrypted email, you may use these PGP keys:
 
+```
     pub   rsa4096 2011-10-14 [SC]
           DAFD760825AE2636AEA9CB19E6BA9F5C5E54DF82
     uid           [ultimate] David Brown <davidb@davidb.org>
     uid           [ultimate] David Brown <david.brown@linaro.org>
     sub   rsa4096 2011-10-14 [E]
+```
 
 and
 
+```
     pub   rsa4096 2017-07-28 [SC]
           126087C7E725625BC7E89CC7537097EDFD4A7339
     uid           [ unknown] Fabio Utzig <utzig@apache.org>
     uid           [ unknown] Fabio Utzig <utzig@utzig.org>
     sub   rsa4096 2017-07-28 [E]
+```
 
 Please include the word "SECURITY" as well as "MCUboot" in the subject
-of any messages.
+of any message.
 
-We will make our best effort to respond within a timely manner.  Most
+We will make our best effort to respond in a timely manner. Most
 vulnerabilities found within published code will undergo an embargo of
 90 days to allow time fixes to be developed and deployed.
 
-## Vulnerability Advisories
+## Vulnerability advisories
 
 Vulnerability reports and published fixes will be reported as follows:
 
-- Issues will be entered into Github's [Security Advisory
-  system](https://github.com/mcu-tools/mcuboot/security/advisories), with
+- Issues will be entered into MCUboot's [security advisory
+  system](https://github.com/mcu-tools/mcuboot/security/advisories) on GitHub, with
   the interested parties (including the reporter) added as viewers.
 
 - The release notes will contain a reference to any allocated CVE(s).
 
-- When any embargo is lifted, the Security Advisory page will be made
+- When the embargo is lifted, the security advisory page will be made
   public, and the public CVE database will be updated with all
   relevant information.