diff --git a/.dictionary b/.dictionary index 782d02dd4402a368176c80a41612ff1988d392b4..cab48e1c0a086ec4b196c7f660eaee7193156056 100644 --- a/.dictionary +++ b/.dictionary @@ -32,6 +32,7 @@ distro DISTROOVERRIDES efidisk eglibc +endeavours envparse extfs FILESEXTRAPATHS @@ -60,6 +61,7 @@ mdev meta-cassini-bsp mickledore minicom +mitigations modutils MPS3 msdos @@ -94,6 +96,7 @@ SAST scarthgap SDHC se +SECURITY.md sourceparams sp srcurifile @@ -118,4 +121,5 @@ WIDEC workdir XNVM xtests +Yocto zeroconf diff --git a/README.md b/README.md index 1722c6d4dfd8cb19572d84be08eb333642e462a8..845cd1ba1d9fd3eec88d07583f2c86cb34d35a89 100644 --- a/README.md +++ b/README.md @@ -48,9 +48,8 @@ Please report problems using GitLab's "Issues" feature. ## Reporting Security Issues -If you find any security vulnerabilities, please do not report them via GitLab -Instead, send an email to the security team at psirt@arm.com stating that you -may have found a security vulnerability in meta-cassini-bsp. +The information about reporting security issues can be found in +[here](SECURITY.md) ## Maintainer(s) diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 0000000000000000000000000000000000000000..440f8f49cdd0316144f5d4ba28a7881abf817997 --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,49 @@ + + +# Reporting vulnerabilities + +Arm takes security issues seriously and welcomes feedback from researchers and +the security community in order to improve the security of its products and +services. We operate a coordinated disclosure policy for disclosing +vulnerabilities and other security issues. + +Security issues can be complex and one single timescale doesn't fit all +circumstances. We will make best endeavours to inform you when we expect +security notifications and fixes to be available and facilitate coordinated +disclosure when notifications and patches/mitigations are available. + + +## How to Report a Potential Vulnerability? + +If you find any security vulnerabilities, please do not report them via GitLab +Instead, send an email to the security team at stating that you +may have found a security vulnerability in meta-cassini-bsp. + +For more information, please visit https://developer.arm.com/support/arm-security-updates/report-security-vulnerabilities. + + +## Branches maintained with security fixes + +meta-cassini-bsp follows the Yocto release model, so see +[Stable release and LTS](https://wiki.yoctoproject.org/wiki/Stable_Release_and_LTS) +for detailed info regarding the policies and maintenance of stable +branches. + +The [Release page](https://wiki.yoctoproject.org/wiki/Releases) contains a list of all +releases of the Yocto Project. Versions in grey are no longer actively maintained with +security patches, but well-tested patches may still be accepted for them for +significant issues. + + +# Disclaimer + +Arm reference solutions are Arm public example software projects that track and +pull upstream components, incorporating their respective security fixes +published over time. Arm partners are responsible for ensuring that the +components they use contain all the required security fixes, if and when they +deploy a product derived from Arm reference solutions.