OrgZephyr/mcuboot
OrgZephyr
/
mcuboot
mirror of https://github.com/zephyrproject-rtos/mcuboot.git
1
0
Fork 0
Code Issues Releases Wiki Activity

doc: Updated security.md 

Updated security.md:
- Fixed small formatting issues
- Fixed a pair of sentences.
- Added mention to hackerone page.

Signed-off-by: Francesco Servidio <francesco.servidio@nordicsemi.no>
This commit is contained in:
Francesco Servidio 2021-11-04 10:53:56 +01:00 committed by David Brown
parent 9eff1e08bd
commit 4b2f9ce62f
1 changed files with 16 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

27
docs/SECURITY.md
View File

@ -1,36 +1,41 @@
# MCUboot project security policy
## Reporting security issues
# Project security policy
The MCUboot team takes security, vulnerabilities, and weaknesses
seriously.
Security issues should be sent to the current maintainers of the
project:
## Reporting security issues
You should report security issues either using our page at [Hackerone]
(https://hackerone.com/mcuboot?type=team) or contacting directly the
current maintainers of the project:
- David Brown: davidb@davidb.org or david.brown@linaro.org
- Fabio Utzig: utzig@apache.org
If you wish to send encrypted email, you may use these PGP keys:
If you wish to send an encrypted email, you may use these PGP keys:
```
pub rsa4096 2011-10-14 [SC]
DAFD760825AE2636AEA9CB19E6BA9F5C5E54DF82
uid [ultimate] David Brown <davidb@davidb.org>
uid [ultimate] David Brown <david.brown@linaro.org>
sub rsa4096 2011-10-14 [E]
```
and
```
pub rsa4096 2017-07-28 [SC]
126087C7E725625BC7E89CC7537097EDFD4A7339
uid [ unknown] Fabio Utzig <utzig@apache.org>
uid [ unknown] Fabio Utzig <utzig@utzig.org>
sub rsa4096 2017-07-28 [E]
```
Please include the word "SECURITY" as well as "MCUboot" in the subject
of any messages.
of any message.
We will make our best effort to respond within a timely manner. Most
We will make our best effort to respond in a timely manner. Most
vulnerabilities found within published code will undergo an embargo of
90 days to allow time fixes to be developed and deployed.
@ -38,12 +43,12 @@ vulnerabilities found within published code will undergo an embargo of
Vulnerability reports and published fixes will be reported as follows:
- Issues will be entered into Github's [Security Advisory
system](https://github.com/mcu-tools/mcuboot/security/advisories), with
- Issues will be entered into MCUboot's [security advisory
system](https://github.com/mcu-tools/mcuboot/security/advisories) on GitHub, with
the interested parties (including the reporter) added as viewers.
- The release notes will contain a reference to any allocated CVE(s).
- When any embargo is lifted, the Security Advisory page will be made
- When the embargo is lifted, the security advisory page will be made
public, and the public CVE database will be updated with all
relevant information.