<div class="socmaildefaultfont" dir="ltr" style="font-family:Arial, Helvetica, sans-serif;font-size:10.5pt" ><div dir="ltr" ><div>> What's the short-term strategy for handling [security] vulnerability reports received in the gap between now and getting some formal process in place?</div>
<div> </div>
<div>We don't have a strategy. Let's discuss it here.</div>
<div> </div>
<div>Officially (<a href="https://github.com/openbmc/openbmc/" >https://github.com/openbmc/openbmc/</a> section "Bug Reporting") issues are managed on GitHub.</div>
<div> </div>
<div>Unofficially, Brad volunteered to accept one batch of security vulnerability reports and distribute them, presumably to the OpenBMC TSC members (<a href="https://github.com/openbmc/docs" >https://github.com/openbmc/docs</a> section "Technical Steering Committee ") or their delegates. I assume they would privately contact a trusted OpenBMC contributor who could address the problem.</div>
<div> </div>
<div>We could adapt the Linux model (<a href="https://www.kernel.org/doc/html/v4.16/admin-guide/security-bugs.html" >https://www.kernel.org/doc/html/v4.16/admin-guide/security-bugs.html</a>), although I am still looking for information on what the Linux security team does with the bug report. For example, how security group members track and discuss problems among themselves, how they pull in additional resources to fix or mitigate the problem, and how they inform downstream distros before announcing the problem, etc.</div>
<div> </div>
<div>I think the first step for the OpenBMC team is to establish an email address (like security@openbmc.org), subscribe only trusted people to that email list, and update the docs to explain that you should email the security team for security questions, and use issues for everything else. Presumably, the security team would communicate privately among themselves and the submitter to assess the situation, and contact OpenBMC community members privately to address the problem.</div>
<div> </div>
<div>This would be an easy step to take, and would move the team in the right direction. What do you think?</div></div></div><BR>