| .. SPDX-License-Identifier: GPL-2.0+: |
| |
| Handling of security vulnerabilities |
| ==================================== |
| |
| The U-Boot project takes security very seriously. As such, we'd like to know |
| when a security bug is found so that it can be fixed and disclosed as quickly |
| as possible. |
| |
| Contact |
| ------- |
| |
| The preferred initial point of contact is to send email to |
| `u-boot@lists.denx.de` and use `scripts/get_maintainers.pl` to also include any |
| relevant custodians. In addition, Tom Rini should be contacted at |
| `trini@konsulko.com`. |
| |
| CVE assignment |
| -------------- |
| |
| The U-Boot project cannot directly assign CVEs, nor do we require them for |
| reports or fixes, as this can needlessly complicate the process and may delay |
| the bug handling. If a reporter wishes to have a CVE identifier assigned ahead |
| of public disclosure, they will need to coordinate this on their own. When |
| such a CVE identifier is known before a patch is provided, it is desirable to |
| mention it in the commit message if the reporter agrees. |
| |
| Non-disclosure agreements |
| ------------------------- |
| |
| The U-Boot project is not a formal body and therefore unable to enter any |
| non-disclosure agreements. |
