1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
|
.. SPDX-License-Identifier: GPL-2.0+:
Handling of security vulnerabilities
====================================
The U-Boot project takes security very seriously. As such, we'd like to know
when a security bug is found so that it can be fixed and disclosed as quickly
as possible.
Contact
-------
The preferred initial point of contact is to send email to
`u-boot@lists.denx.de` and use `scripts/get_maintainers.pl` to also include any
relevant custodians. In addition, Tom Rini should be contacted at
`trini@konsulko.com`.
CVE assignment
--------------
The U-Boot project cannot directly assign CVEs, nor do we require them for
reports or fixes, as this can needlessly complicate the process and may delay
the bug handling. If a reporter wishes to have a CVE identifier assigned ahead
of public disclosure, they will need to coordinate this on their own. When
such a CVE identifier is known before a patch is provided, it is desirable to
mention it in the commit message if the reporter agrees.
Non-disclosure agreements
-------------------------
The U-Boot project is not a formal body and therefore unable to enter any
non-disclosure agreements.
|
