Re: [PATCH 2/2] SECURITY: Add SECURITY file

grub-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH 2/2] SECURITY: Add SECURITY file

From:	Paul Menzel
Subject:	Re: [PATCH 2/2] SECURITY: Add SECURITY file
Date:	Thu, 3 Jun 2021 08:31:15 +0200
User-agent:	Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.10.2

Dear Daniel,


Am 01.06.21 um 18:13 schrieb Daniel Kiper:

The SECURITY file describes the GRUB project security policy.

It is based on https://github.com/wireapp/wire/blob/master/SECURITY.md

Signed-off-by: Alex Burmashev <alexander.burmashev@oracle.com>
Signed-off-by: Vladimir Serbinenko <phcoder@google.com>
Signed-off-by: Daniel Kiper <daniel.kiper@oracle.com>
---
  MAINTAINERS |  3 +++
  SECURITY    | 61 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
  2 files changed, 64 insertions(+)
  create mode 100644 SECURITY

diff --git a/MAINTAINERS b/MAINTAINERS
index 41fdf5a04..3d5d1ae97 100644
--- a/MAINTAINERS
+++ b/MAINTAINERS
@@ -8,6 +8,9 @@ Here is the list of current GRUB maintainers:

The maintainers drive and overlook the GRUB development.+If you found a security vulnerability in the GRUB please check the SECURITY file to

+get more information how to properly report this kind of bugs to the 
maintainers.
+


I’d put this into the file `README`.

  The GRUB development happens on the grub-devel mailing list [1]. The latest
  GRUB source code is available at Savannah git repository [2].

diff --git a/SECURITY b/SECURITY

new file mode 100644
index 000000000..abe1a2fe4
--- /dev/null
+++ b/SECURITY
@@ -0,0 +1,61 @@
+Security Policy
+===============
+
+To report a vulnerability see "Reporting a Vulnerability" below.
+
+
+Security Incident Policy
+========================
+
+Security bug reports are treated with special attention and are handled
+differently from normal bugs. In particular, security sensitive bugs are not
+handled in public but in private. Information about the bug and access to it
+is restricted to people in the security bug group, the individual engineers


Who is the “security bug group”?

+that work on fixing it, and any other person who needs to be involved for
+organisational reasons. The process is handled by the security team, which
+decides on the people involved in order to fix the issue. It is also
+guaranteed that the person reporting the issue has visibility into the process
+of fixing it. Any security issue gets prioritized according to its security
+rating. The issue is opened up to the public in coordination with the release
+schedule and the reporter.
+
+
+Disclosure Policy
+=================
+
+Everyone involved in the handling of a security issue - including the reporter 
-
+is required to adhere to the following policy. Any information related to


Are you sure you can put these restrictions on the reporter?

+a security issue must be treated as confidential and only shared with trusted
+partners if necessary, for example to coordinate a release or manage exposure
+of clients to the issue. No information must be disclosed to the public before
+the embargo ends. The embargo time is agreed upon by all involved parties. It
+should be as short as possible without putting any users at risk.
+
+
+Supported Versions
+==================
+
+Only the most recent version of the GRUB is supported.
+
+While there's currently no bug bounty program we appreciate every report.
+
+
+Reporting a Vulnerability
+=========================
+
+The security report has to be encrypted with the PGP keys and send to ALL email


s/has to be/should be/

I guess you will look at these reports even if they are not encrypted?

+addresses listed below. Every vulnerability report will be assessed within
+72 hours of receiving it. If the outcome of the assessment is that the report
+describes a security issue, the report will be transferred into an issue on the
+internal vulnerability project for further processing. The reporter is updated
+on each step of the process.
+
+* Contact: Daniel Kiper <daniel.kiper@oracle.com> and
+           Daniel Kiper <dkiper@net-space.pl>
+* PGP Key Fingerprint: BE5C 2320 9ACD DACE B20D  B0A2 8C81 89F1 988C 2166
+
+* Contact: Alex Burmashev <alexander.burmashev@oracle.com>
+* PGP Key Fingerprint: 50A4 EC06 EF7E B84D 67E0  3BB6 2AE2 C87E 28EF 2E6E
+
+* Contact: Vladimir 'phcoder' Serbinenko <phcoder@gmail.com>
+* PGP Key Fingerprint: E53D 497F 3FA4 2AD8 C9B4  D1E8 35A9 3B74 E82E 4209



Kind regards,

Paul

[Prev in Thread]

Current Thread

[Next in Thread]

[PATCH 0/2] Add MAINTAINERS and SECURITY files, Daniel Kiper, 2021/06/01
- [PATCH 1/2] MAINTAINERS: Add MAINTAINERS file, Daniel Kiper, 2021/06/01
  - Re: [PATCH 1/2] MAINTAINERS: Add MAINTAINERS file, Paul Menzel, 2021/06/03
- [PATCH 2/2] SECURITY: Add SECURITY file, Daniel Kiper, 2021/06/01
  - Re: [PATCH 2/2] SECURITY: Add SECURITY file, Paul Menzel <=

Prev by Date: Re: [PATCH 1/2] MAINTAINERS: Add MAINTAINERS file
Next by Date: [PATCH 1/1] GRUB_SESAME support. (Take 4)
Previous by thread: [PATCH 2/2] SECURITY: Add SECURITY file
Next by thread: Re: GRUB 2.06 release is nearing
Index(es):
- Date
- Thread