diff --git a/docs/SECURITY.md b/docs/SECURITY.md index f995385c3..6627c1417 100644 --- a/docs/SECURITY.md +++ b/docs/SECURITY.md @@ -1,56 +1,31 @@ # Project security policy -The MCUboot team takes security, vulnerabilities, and weaknesses -seriously. +The MCUboot project uses the [TrustedFirmware.org security +policy](https://www.trustedfirmware.org/.well-known/security.txt). -## Reporting security issues +## Reporting security vulnerabilities -The preferred way to report security issues with MCUboot is via the "Report a -security vulnerability" button on the main [security -page](https://github.com/mcu-tools/mcuboot/security). +The preferred way to report a security vulnerability with MCUboot is via the +"Report a vulnerability" button on the main [security page +](https://github.com/mcu-tools/mcuboot/security). -You can also directly contact the following maintainers of the project: - -- David Brown: davidb@davidb.org or david.brown@linaro.org -- Fabio Utzig: utzig@apache.org - -If you wish to send an encrypted email, you may use these PGP keys: - -``` - pub rsa4096 2011-10-14 [SC] - DAFD760825AE2636AEA9CB19E6BA9F5C5E54DF82 - uid [ultimate] David Brown - uid [ultimate] David Brown - sub rsa4096 2011-10-14 [E] -``` - -and - -``` - pub rsa4096 2017-07-28 [SC] - 126087C7E725625BC7E89CC7537097EDFD4A7339 - uid [ unknown] Fabio Utzig - uid [ unknown] Fabio Utzig - sub rsa4096 2017-07-28 [E] -``` - -Please include the word "SECURITY" as well as "MCUboot" in the subject +You can also email the MCUboot security team at +mcuboot-security@lists.trustedfirmware.org as per the TrustedFirmware.org +policy. Please include the word "SECURITY" as well as "MCUboot" in the subject of any message. -We will make our best effort to respond in a timely manner. Most -vulnerabilities found within published code will undergo an embargo of -90 days to allow time fixes to be developed and deployed. - -## Vulnerability advisories +## Disclosure -Vulnerability reports and published fixes will be reported as follows: +Any confirmed security vulnerability will be disclosed to Trusted Stakeholders +as per the TrustedFirmware.org policy. -- Issues will be entered into MCUboot's [security advisory - system](https://github.com/mcu-tools/mcuboot/security/advisories) on GitHub, with - the interested parties (including the reporter) added as viewers. +A draft advisory and vulnerability fix will be created in MCUboot's [security +advisory system](https://github.com/mcu-tools/mcuboot/security/advisories) on +GitHub, with any interested Trusted Stakeholders and the reporter added as +viewers. -- The release notes will contain a reference to any allocated CVE(s). +On the public disclosure date, the security advisory page will be made public, +and the public CVE database will be updated with all relevant information. -- When the embargo is lifted, the security advisory page will be made - public, and the public CVE database will be updated with all - relevant information. +The release notes of the next MCUboot release will refer to any allocated +CVE(s). diff --git a/docs/release-notes.d/align-security-policy.md b/docs/release-notes.d/align-security-policy.md new file mode 100644 index 000000000..46c0dac7f --- /dev/null +++ b/docs/release-notes.d/align-security-policy.md @@ -0,0 +1,2 @@ +- Aligned the project security policy with the [TrustedFirmware.org security +policy](https://www.trustedfirmware.org/.well-known/security.txt).