blob: 84b130646f31aa24d1db68aff46ecb3e5eaaff86 [file] [log] [blame]
Tom Rini2eaffba2022-11-03 14:25:44 -04001.. SPDX-License-Identifier: GPL-2.0+:
2
3Handling of security vulnerabilities
4====================================
5
6The U-Boot project takes security very seriously. As such, we'd like to know
7when a security bug is found so that it can be fixed and disclosed as quickly
8as possible.
9
10Contact
11-------
12
13The preferred initial point of contact is to send email to
14`u-boot@lists.denx.de` and use `scripts/get_maintainers.pl` to also include any
15relevant custodians. In addition, Tom Rini should be contacted at
16`trini@konsulko.com`.
17
18CVE assignment
19--------------
20
21The U-Boot project cannot directly assign CVEs, nor do we require them for
22reports or fixes, as this can needlessly complicate the process and may delay
23the bug handling. If a reporter wishes to have a CVE identifier assigned ahead
24of public disclosure, they will need to coordinate this on their own. When
25such a CVE identifier is known before a patch is provided, it is desirable to
26mention it in the commit message if the reporter agrees.
27
28Non-disclosure agreements
29-------------------------
30
31The U-Boot project is not a formal body and therefore unable to enter any
32non-disclosure agreements.