From 5cad8cabf3724e545086f785cf043fcc9943404f Mon Sep 17 00:00:00 2001 From: Emekcan Aras Date: Wed, 4 Dec 2024 14:41:22 +0000 Subject: [PATCH] docs: Add SECURITY.md Add a SECURITY.md file with a disclaimer and relevant information for the parties who might report potential security vulnerabilities. Signed-off-by: Emekcan Aras --- .dictionary | 4 ++++ README.md | 5 ++--- SECURITY.md | 49 +++++++++++++++++++++++++++++++++++++++++++++++++ 3 files changed, 55 insertions(+), 3 deletions(-) create mode 100644 SECURITY.md diff --git a/.dictionary b/.dictionary index 782d02d..cab48e1 100644 --- a/.dictionary +++ b/.dictionary @@ -32,6 +32,7 @@ distro DISTROOVERRIDES efidisk eglibc +endeavours envparse extfs FILESEXTRAPATHS @@ -60,6 +61,7 @@ mdev meta-cassini-bsp mickledore minicom +mitigations modutils MPS3 msdos @@ -94,6 +96,7 @@ SAST scarthgap SDHC se +SECURITY.md sourceparams sp srcurifile @@ -118,4 +121,5 @@ WIDEC workdir XNVM xtests +Yocto zeroconf diff --git a/README.md b/README.md index 1722c6d..845cd1b 100644 --- a/README.md +++ b/README.md @@ -48,9 +48,8 @@ Please report problems using GitLab's "Issues" feature. ## Reporting Security Issues -If you find any security vulnerabilities, please do not report them via GitLab -Instead, send an email to the security team at psirt@arm.com stating that you -may have found a security vulnerability in meta-cassini-bsp. +The information about reporting security issues can be found in +[here](SECURITY.md) ## Maintainer(s) diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 0000000..440f8f4 --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,49 @@ + + +# Reporting vulnerabilities + +Arm takes security issues seriously and welcomes feedback from researchers and +the security community in order to improve the security of its products and +services. We operate a coordinated disclosure policy for disclosing +vulnerabilities and other security issues. + +Security issues can be complex and one single timescale doesn't fit all +circumstances. We will make best endeavours to inform you when we expect +security notifications and fixes to be available and facilitate coordinated +disclosure when notifications and patches/mitigations are available. + + +## How to Report a Potential Vulnerability? + +If you find any security vulnerabilities, please do not report them via GitLab +Instead, send an email to the security team at stating that you +may have found a security vulnerability in meta-cassini-bsp. + +For more information, please visit https://developer.arm.com/support/arm-security-updates/report-security-vulnerabilities. + + +## Branches maintained with security fixes + +meta-cassini-bsp follows the Yocto release model, so see +[Stable release and LTS](https://wiki.yoctoproject.org/wiki/Stable_Release_and_LTS) +for detailed info regarding the policies and maintenance of stable +branches. + +The [Release page](https://wiki.yoctoproject.org/wiki/Releases) contains a list of all +releases of the Yocto Project. Versions in grey are no longer actively maintained with +security patches, but well-tested patches may still be accepted for them for +significant issues. + + +# Disclaimer + +Arm reference solutions are Arm public example software projects that track and +pull upstream components, incorporating their respective security fixes +published over time. Arm partners are responsible for ensuring that the +components they use contain all the required security fixes, if and when they +deploy a product derived from Arm reference solutions. -- GitLab