| David Brown | 0d98a9c | 2019-10-02 13:59:42 -0600 | [diff] [blame^] | 1 | # MCUboot project security policy |
| 2 | |
| 3 | ## Reporting Security Issues |
| 4 | |
| 5 | The MCUboot team takes security, vulnerabilities, and weaknesses |
| 6 | seriously. |
| 7 | |
| 8 | Security issues should be sent to the current maintainers of the |
| 9 | project: |
| 10 | |
| 11 | - David Brown: davidb@davidb.org or david.brown@linaro.org |
| 12 | - Fabio Utzig: utzig@apache.org |
| 13 | |
| 14 | pub rsa4096 2011-10-14 [SC] |
| 15 | DAFD760825AE2636AEA9CB19E6BA9F5C5E54DF82 |
| 16 | uid [ultimate] David Brown <davidb@davidb.org> |
| 17 | uid [ultimate] David Brown <david.brown@linaro.org> |
| 18 | sub rsa4096 2011-10-14 [E] |
| 19 | |
| 20 | and |
| 21 | |
| 22 | pub rsa4096 2017-07-28 [SC] |
| 23 | 126087C7E725625BC7E89CC7537097EDFD4A7339 |
| 24 | uid [ unknown] Fabio Utzig <utzig@apache.org> |
| 25 | uid [ unknown] Fabio Utzig <utzig@utzig.org> |
| 26 | sub rsa4096 2017-07-28 [E] |
| 27 | |
| 28 | Please include the word "SECURITY" as well as "MCUboot" in the subject |
| 29 | of any messages. |
| 30 | |
| 31 | We will make our best effort to respond within a timely manner. Most |
| 32 | vulnerabilities found within published code will undergo an embargo of |
| 33 | 90 days to allow time fixes to be developed and deployed. |
| 34 | |
| 35 | ## Vulnerability Advisories |
| 36 | |
| 37 | Vulnerability reports and published fixes will be reported as follows: |
| 38 | |
| 39 | - Issues will be entered into Github's [Security Advisory |
| 40 | system](https://github.com/JuulLabs-OSS/mcuboot/security/advisories), with |
| 41 | the interested parties (including the reporter) added as viewers. |
| 42 | |
| 43 | - The release notes will contain a reference to any allocated CVE(s). |
| 44 | |
| 45 | - When any embargo is lifted, the Security Advisory page will be made |
| 46 | public, and the public CVE database will be updated with all |
| 47 | relevant information. |