mcuboot/docs/SECURITY.md

# Project security policy

The MCUboot team takes security, vulnerabilities, and weaknesses
seriously.

## Reporting security issues

You should report security issues either using our page at [Hackerone]
(https://hackerone.com/mcuboot?type=team) or contacting directly the
current maintainers of the project:

- David Brown: davidb@davidb.org or david.brown@linaro.org
- Fabio Utzig: utzig@apache.org

If you wish to send an encrypted email, you may use these PGP keys:

```
    pub   rsa4096 2011-10-14 [SC]
          DAFD760825AE2636AEA9CB19E6BA9F5C5E54DF82
    uid           [ultimate] David Brown <davidb@davidb.org>
    uid           [ultimate] David Brown <david.brown@linaro.org>
    sub   rsa4096 2011-10-14 [E]
```

and

```
    pub   rsa4096 2017-07-28 [SC]
          126087C7E725625BC7E89CC7537097EDFD4A7339
    uid           [ unknown] Fabio Utzig <utzig@apache.org>
    uid           [ unknown] Fabio Utzig <utzig@utzig.org>
    sub   rsa4096 2017-07-28 [E]
```

Please include the word "SECURITY" as well as "MCUboot" in the subject
of any message.

We will make our best effort to respond in a timely manner. Most
vulnerabilities found within published code will undergo an embargo of
90 days to allow time fixes to be developed and deployed.

## Vulnerability advisories

Vulnerability reports and published fixes will be reported as follows:

- Issues will be entered into MCUboot's [security advisory
  system](https://github.com/mcu-tools/mcuboot/security/advisories) on GitHub, with
  the interested parties (including the reporter) added as viewers.

- The release notes will contain a reference to any allocated CVE(s).

- When the embargo is lifted, the security advisory page will be made
  public, and the public CVE database will be updated with all
  relevant information.
doc: Updated security.md Updated security.md: - Fixed small formatting issues - Fixed a pair of sentences. - Added mention to hackerone page. Signed-off-by: Francesco Servidio <francesco.servidio@nordicsemi.no> 2021-11-04 17:53:56 +08:00			`# Project security policy`
docs: Create initial security policy Signed-off-by: David Brown <david.brown@linaro.org> 2019-10-03 03:59:42 +08:00
			`The MCUboot team takes security, vulnerabilities, and weaknesses`
			`seriously.`

doc: Updated security.md Updated security.md: - Fixed small formatting issues - Fixed a pair of sentences. - Added mention to hackerone page. Signed-off-by: Francesco Servidio <francesco.servidio@nordicsemi.no> 2021-11-04 17:53:56 +08:00			`## Reporting security issues`

			`You should report security issues either using our page at [Hackerone]`
			`(https://hackerone.com/mcuboot?type=team) or contacting directly the`
			`current maintainers of the project:`
docs: Create initial security policy Signed-off-by: David Brown <david.brown@linaro.org> 2019-10-03 03:59:42 +08:00
			`- David Brown: davidb@davidb.org or david.brown@linaro.org`
			`- Fabio Utzig: utzig@apache.org`

doc: Updated security.md Updated security.md: - Fixed small formatting issues - Fixed a pair of sentences. - Added mention to hackerone page. Signed-off-by: Francesco Servidio <francesco.servidio@nordicsemi.no> 2021-11-04 17:53:56 +08:00			`If you wish to send an encrypted email, you may use these PGP keys:`
docs: Fix formatting of security document Markdown considers a block of indented text after a list item to be part of that list item. Insert a small piece of text at the top level to prevent that. Signed-off-by: David Brown <david.brown@linaro.org> 2019-10-08 23:59:55 +08:00
doc: Updated security.md Updated security.md: - Fixed small formatting issues - Fixed a pair of sentences. - Added mention to hackerone page. Signed-off-by: Francesco Servidio <francesco.servidio@nordicsemi.no> 2021-11-04 17:53:56 +08:00			```
docs: Create initial security policy Signed-off-by: David Brown <david.brown@linaro.org> 2019-10-03 03:59:42 +08:00			`pub rsa4096 2011-10-14 [SC]`
			`DAFD760825AE2636AEA9CB19E6BA9F5C5E54DF82`
			`uid [ultimate] David Brown <davidb@davidb.org>`
			`uid [ultimate] David Brown <david.brown@linaro.org>`
			`sub rsa4096 2011-10-14 [E]`
doc: Updated security.md Updated security.md: - Fixed small formatting issues - Fixed a pair of sentences. - Added mention to hackerone page. Signed-off-by: Francesco Servidio <francesco.servidio@nordicsemi.no> 2021-11-04 17:53:56 +08:00			```
docs: Create initial security policy Signed-off-by: David Brown <david.brown@linaro.org> 2019-10-03 03:59:42 +08:00
			`and`

doc: Updated security.md Updated security.md: - Fixed small formatting issues - Fixed a pair of sentences. - Added mention to hackerone page. Signed-off-by: Francesco Servidio <francesco.servidio@nordicsemi.no> 2021-11-04 17:53:56 +08:00			```
docs: Create initial security policy Signed-off-by: David Brown <david.brown@linaro.org> 2019-10-03 03:59:42 +08:00			`pub rsa4096 2017-07-28 [SC]`
			`126087C7E725625BC7E89CC7537097EDFD4A7339`
			`uid [ unknown] Fabio Utzig <utzig@apache.org>`
			`uid [ unknown] Fabio Utzig <utzig@utzig.org>`
			`sub rsa4096 2017-07-28 [E]`
doc: Updated security.md Updated security.md: - Fixed small formatting issues - Fixed a pair of sentences. - Added mention to hackerone page. Signed-off-by: Francesco Servidio <francesco.servidio@nordicsemi.no> 2021-11-04 17:53:56 +08:00			```
docs: Create initial security policy Signed-off-by: David Brown <david.brown@linaro.org> 2019-10-03 03:59:42 +08:00
			`Please include the word "SECURITY" as well as "MCUboot" in the subject`
doc: Updated security.md Updated security.md: - Fixed small formatting issues - Fixed a pair of sentences. - Added mention to hackerone page. Signed-off-by: Francesco Servidio <francesco.servidio@nordicsemi.no> 2021-11-04 17:53:56 +08:00			`of any message.`
docs: Create initial security policy Signed-off-by: David Brown <david.brown@linaro.org> 2019-10-03 03:59:42 +08:00
doc: Updated security.md Updated security.md: - Fixed small formatting issues - Fixed a pair of sentences. - Added mention to hackerone page. Signed-off-by: Francesco Servidio <francesco.servidio@nordicsemi.no> 2021-11-04 17:53:56 +08:00			`We will make our best effort to respond in a timely manner. Most`
docs: Create initial security policy Signed-off-by: David Brown <david.brown@linaro.org> 2019-10-03 03:59:42 +08:00			`vulnerabilities found within published code will undergo an embargo of`
			`90 days to allow time fixes to be developed and deployed.`

doc: Fix case in titles Unified case in titles. Fixed small grammar issues. Signed-off-by: Francesco Servidio <francesco.servidio@nordicsemi.no> 2021-11-03 20:19:22 +08:00			`## Vulnerability advisories`
docs: Create initial security policy Signed-off-by: David Brown <david.brown@linaro.org> 2019-10-03 03:59:42 +08:00
			`Vulnerability reports and published fixes will be reported as follows:`

doc: Updated security.md Updated security.md: - Fixed small formatting issues - Fixed a pair of sentences. - Added mention to hackerone page. Signed-off-by: Francesco Servidio <francesco.servidio@nordicsemi.no> 2021-11-04 17:53:56 +08:00			`- Issues will be entered into MCUboot's [security advisory`
			`system](https://github.com/mcu-tools/mcuboot/security/advisories) on GitHub, with`
docs: Create initial security policy Signed-off-by: David Brown <david.brown@linaro.org> 2019-10-03 03:59:42 +08:00			`the interested parties (including the reporter) added as viewers.`

			`- The release notes will contain a reference to any allocated CVE(s).`

doc: Updated security.md Updated security.md: - Fixed small formatting issues - Fixed a pair of sentences. - Added mention to hackerone page. Signed-off-by: Francesco Servidio <francesco.servidio@nordicsemi.no> 2021-11-04 17:53:56 +08:00			`- When the embargo is lifted, the security advisory page will be made`
docs: Create initial security policy Signed-off-by: David Brown <david.brown@linaro.org> 2019-10-03 03:59:42 +08:00			`public, and the public CVE database will be updated with all`
			`relevant information.`