[PATCH v2 2/2] SECURITY: Add SECURITY file

grub-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[PATCH v2 2/2] SECURITY: Add SECURITY file

From:	Daniel Kiper
Subject:	[PATCH v2 2/2] SECURITY: Add SECURITY file
Date:	Mon, 7 Jun 2021 20:07:34 +0200

The SECURITY file describes the GRUB project security policy.

It is based on https://github.com/wireapp/wire/blob/master/SECURITY.md

Signed-off-by: Alex Burmashev <alexander.burmashev@oracle.com>
Signed-off-by: Vladimir Serbinenko <phcoder@google.com>
Signed-off-by: Daniel Kiper <daniel.kiper@oracle.com>
---
v2 - suggestions/fixes:
   - mention the SECURITY file in the README file
     (suggested by Paul Menzel),
   - improve some wording in the SECURITY file
     (suggested by Paul Menzel).
---
 MAINTAINERS |  4 ++++
 README      |  4 ++++
 SECURITY    | 60 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
 3 files changed, 68 insertions(+)
 create mode 100644 SECURITY

diff --git a/MAINTAINERS b/MAINTAINERS
index 9eff2b8ab..45e870c78 100644
--- a/MAINTAINERS
+++ b/MAINTAINERS
@@ -8,6 +8,10 @@ Here is the list of current GRUB maintainers:
 
 The maintainers drive and overlook the GRUB development.
 
+If you found a security vulnerability in the GRUB please check the SECURITY
+file to get more information how to properly report this kind of bugs to
+the maintainers.
+
 The GRUB development happens on the grub-devel mailing list [1]. The latest
 GRUB source code is available at Savannah git repository [2].
 
diff --git a/README b/README
index b1aa79723..49ce15ea3 100644
--- a/README
+++ b/README
@@ -9,6 +9,10 @@ GRUB 2 data and program files.
 
 See the file MAINTAINERS for information about the GRUB maintainers, etc.
 
+If you found a security vulnerability in the GRUB please check the SECURITY
+file to get more information how to properly report this kind of bugs to
+the maintainers.
+
 Please visit the official web page of GRUB 2, for more information.
 The URL is <http://www.gnu.org/software/grub/grub.html>.
 
diff --git a/SECURITY b/SECURITY
new file mode 100644
index 000000000..2d2267858
--- /dev/null
+++ b/SECURITY
@@ -0,0 +1,60 @@
+Security Policy
+===============
+
+To report a vulnerability see "Reporting a Vulnerability" below.
+
+
+Security Incident Policy
+========================
+
+Security bug reports are treated with special attention and are handled
+differently from normal bugs. In particular, security sensitive bugs are not
+handled in public but in private. Information about the bug and access to it
+is restricted to people in the security group, the individual engineers that
+work on fixing it, and any other person who needs to be involved for 
organisational
+reasons. The process is handled by the security team, which decides on the 
people
+involved in order to fix the issue. It is also guaranteed that the person 
reporting
+the issue has visibility into the process of fixing it. Any security issue gets
+prioritized according to its security rating. The issue is opened up to the 
public
+in coordination with the release schedule and the reporter.
+
+
+Disclosure Policy
+=================
+
+Everyone involved in the handling of a security issue - including the reporter 
-
+is required to adhere to the following policy. Any information related to
+a security issue must be treated as confidential and only shared with trusted
+partners if necessary, for example to coordinate a release or manage exposure
+of clients to the issue. No information must be disclosed to the public before
+the embargo ends. The embargo time is agreed upon by all involved parties. It
+should be as short as possible without putting any users at risk.
+
+
+Supported Versions
+==================
+
+Only the most recent version of the GRUB is supported.
+
+While there's currently no bug bounty program we appreciate every report.
+
+
+Reporting a Vulnerability
+=========================
+
+The security report should be encrypted with the PGP keys and send to ALL email
+addresses listed below. Every vulnerability report will be assessed within
+72 hours of receiving it. If the outcome of the assessment is that the report
+describes a security issue, the report will be transferred into an issue on the
+internal vulnerability project for further processing. The reporter is updated
+on each step of the process.
+
+* Contact: Daniel Kiper <daniel.kiper@oracle.com> and
+           Daniel Kiper <dkiper@net-space.pl>
+* PGP Key Fingerprint: BE5C 2320 9ACD DACE B20D  B0A2 8C81 89F1 988C 2166
+
+* Contact: Alex Burmashev <alexander.burmashev@oracle.com>
+* PGP Key Fingerprint: 50A4 EC06 EF7E B84D 67E0  3BB6 2AE2 C87E 28EF 2E6E
+
+* Contact: Vladimir 'phcoder' Serbinenko <phcoder@gmail.com>
+* PGP Key Fingerprint: E53D 497F 3FA4 2AD8 C9B4  D1E8 35A9 3B74 E82E 4209
-- 
2.11.0

[Prev in Thread]

Current Thread

[Next in Thread]

[PATCH v2 0/2] Add MAINTAINERS and SECURITY files, Daniel Kiper, 2021/06/07
- [PATCH v2 1/2] MAINTAINERS: Add MAINTAINERS file, Daniel Kiper, 2021/06/07
  - Re: [PATCH v2 1/2] MAINTAINERS: Add MAINTAINERS file, Paul Menzel, 2021/06/07
    - Re: [PATCH v2 1/2] MAINTAINERS: Add MAINTAINERS file, Daniel Kiper, 2021/06/08
- [PATCH v2 2/2] SECURITY: Add SECURITY file, Daniel Kiper <=

Prev by Date: [PATCH v2 1/2] MAINTAINERS: Add MAINTAINERS file
Next by Date: [PATCH v2 0/2] Add MAINTAINERS and SECURITY files
Previous by thread: Re: [PATCH v2 1/2] MAINTAINERS: Add MAINTAINERS file
Next by thread: GRUB 2.06 released
Index(es):
- Date
- Thread