From 1367cc19f189d95cc214d3f7c9055e6acd81c79d Mon Sep 17 00:00:00 2001 From: Sandrine Bailleux Date: Mon, 22 Jun 2020 12:11:47 +0200 Subject: Redirect security incident report to TrustedFirmware.org All projects under the TrustedFirmware.org project now use the same security incident process, therefore update the disclosure/vulnerability reporting information in the TF-A documentation. ------------------------------------------------------------------------ /!\ IMPORTANT /!\ Please note that the email address to send these reports to has changed. Please do *not* use trusted-firmware-security@arm.com anymore. Similarly, the PGP key provided to encrypt emails to the security email alias has changed as well. Please do *not* use the former one provided in the TF-A source tree. It is recommended to remove it from your keyring to avoid any mistake. Please use the new key provided on TrustedFirmware.org from now on. ------------------------------------------------------------------------ Change-Id: I14eb61017ab99182f1c45d1e156b96d5764934c1 Signed-off-by: Sandrine Bailleux --- docs/process/security.rst | 50 ++++++++++++----------------------------------- 1 file changed, 12 insertions(+), 38 deletions(-) (limited to 'docs/process/security.rst') diff --git a/docs/process/security.rst b/docs/process/security.rst index c3935daa1..516eb98d7 100644 --- a/docs/process/security.rst +++ b/docs/process/security.rst @@ -20,40 +20,13 @@ Found a Security Issue? Although we try to keep TF-A secure, we can only do so with the help of the community of developers and security researchers. -If you think you have found a security vulnerability, please **do not** report it -in the `issue tracker`_. Instead send an email to -trusted-firmware-security@arm.com - -Please include: - -* Trusted Firmware-A version (or commit) affected - -* A description of the concern or vulnerability - -* Details on how to replicate the vulnerability, including: - - - Configuration details - - - Proof of concept exploit code - - - Any additional software or tools required - -We recommend using :download:`this PGP/GPG key <./security-reporting.asc>` for -encrypting the information. This key is also available at -http://keyserver.pgp.com and LDAP port 389 of the same server. - -The fingerprint for this key is: - -:: - - 1309 2C19 22B4 8E87 F17B FE5C 3AB7 EFCB 45A0 DFD0 - -If you would like replies to be encrypted, please provide your public key. - -Please give us the time to respond to you and fix the vulnerability before going -public. We do our best to respond and fix any issues quickly. We also need to -ensure providers of products that use TF-A have a chance to consider the -implications of the vulnerability and its remedy. +If you think you have found a security vulnerability, please **do not** report +it in the `issue tracker`_. Instead, please follow the `TrustedFirmware.org +security incident process`_. One of the goals of this process is to ensure +providers of products that use TF-A have a chance to consider the implications +of the vulnerability and its remedy before it is made public. As such, please +follow the disclosure plan outlined in the process. We do our best to respond +and fix any issues quickly. Afterwards, we encourage you to write-up your findings about the TF-A source code. @@ -61,8 +34,8 @@ code. Attribution ----------- -We will name and thank you in the :ref:`Change Log & Release Notes` distributed with the source -code and in any published security advisory. +We will name and thank you in the :ref:`Change Log & Release Notes` distributed +with the source code and in any published security advisory. Security Advisories ------------------- @@ -96,7 +69,6 @@ Security Advisories +-----------+------------------------------------------------------------------+ .. _issue tracker: https://developer.trustedfirmware.org/project/board/1/ -.. _this PGP/GPG key: security-reporting.asc .. |TFV-1| replace:: :ref:`Advisory TFV-1 (CVE-2016-10319)` .. |TFV-2| replace:: :ref:`Advisory TFV-2 (CVE-2017-7564)` @@ -107,6 +79,8 @@ Security Advisories .. |TFV-7| replace:: :ref:`Advisory TFV-7 (CVE-2018-3639)` .. |TFV-8| replace:: :ref:`Advisory TFV-8 (CVE-2018-19440)` +.. _TrustedFirmware.org security incident process: https://developer.trustedfirmware.org/w/collaboration/security_center/ + -------------- -*Copyright (c) 2019, Arm Limited. All rights reserved.* +*Copyright (c) 2019-2020, Arm Limited. All rights reserved.* -- cgit v1.2.3 From a88b3c296ab99fb7080de199a0b6291d2b44fceb Mon Sep 17 00:00:00 2001 From: Sandrine Bailleux Date: Mon, 3 Aug 2020 10:27:19 +0200 Subject: doc: Stop advising the creation of Phabricator issues We have noticed that Phabricator (the ticketing system on tf.org [1]) has far less visibility within the community than the mailing list [2]. For this reason, let's drop usage of Phabricator for anything else than bug reports. For the rest, advise contributors to start a discussion on the mailing list, where they are more likely to get feedback. [1] https://developer.trustedfirmware.org/project/board/1/ [2] https://lists.trustedfirmware.org/mailman/listinfo/tf-a Change-Id: I7d2d3d305ad0a0f8aacc2a2f25eb5ff429853a3f Signed-off-by: Sandrine Bailleux --- docs/process/security.rst | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) (limited to 'docs/process/security.rst') diff --git a/docs/process/security.rst b/docs/process/security.rst index 516eb98d7..0d59e723c 100644 --- a/docs/process/security.rst +++ b/docs/process/security.rst @@ -21,12 +21,12 @@ Although we try to keep TF-A secure, we can only do so with the help of the community of developers and security researchers. If you think you have found a security vulnerability, please **do not** report -it in the `issue tracker`_. Instead, please follow the `TrustedFirmware.org -security incident process`_. One of the goals of this process is to ensure -providers of products that use TF-A have a chance to consider the implications -of the vulnerability and its remedy before it is made public. As such, please -follow the disclosure plan outlined in the process. We do our best to respond -and fix any issues quickly. +it in the `issue tracker`_ or on the `mailing list`_. Instead, please follow the +`TrustedFirmware.org security incident process`_. One of the goals of this +process is to ensure providers of products that use TF-A have a chance to +consider the implications of the vulnerability and its remedy before it is made +public. As such, please follow the disclosure plan outlined in the process. We +do our best to respond and fix any issues quickly. Afterwards, we encourage you to write-up your findings about the TF-A source code. @@ -69,6 +69,7 @@ Security Advisories +-----------+------------------------------------------------------------------+ .. _issue tracker: https://developer.trustedfirmware.org/project/board/1/ +.. _mailing list: https://lists.trustedfirmware.org/mailman/listinfo/tf-a .. |TFV-1| replace:: :ref:`Advisory TFV-1 (CVE-2016-10319)` .. |TFV-2| replace:: :ref:`Advisory TFV-2 (CVE-2017-7564)` -- cgit v1.2.3 From ecad5b8966dd098fdc37dc448d66841bc6148131 Mon Sep 17 00:00:00 2001 From: Sandrine Bailleux Date: Wed, 12 Aug 2020 10:52:32 +0200 Subject: doc: Emphasize that security issues must not be reported as normal bugs Change-Id: I43e452c9993a8608b20ec029562982f5dcf8e6b2 Signed-off-by: Sandrine Bailleux --- docs/process/security.rst | 16 +++++++++------- 1 file changed, 9 insertions(+), 7 deletions(-) (limited to 'docs/process/security.rst') diff --git a/docs/process/security.rst b/docs/process/security.rst index 0d59e723c..a3b9971e4 100644 --- a/docs/process/security.rst +++ b/docs/process/security.rst @@ -20,13 +20,15 @@ Found a Security Issue? Although we try to keep TF-A secure, we can only do so with the help of the community of developers and security researchers. -If you think you have found a security vulnerability, please **do not** report -it in the `issue tracker`_ or on the `mailing list`_. Instead, please follow the -`TrustedFirmware.org security incident process`_. One of the goals of this -process is to ensure providers of products that use TF-A have a chance to -consider the implications of the vulnerability and its remedy before it is made -public. As such, please follow the disclosure plan outlined in the process. We -do our best to respond and fix any issues quickly. +.. warning:: + If you think you have found a security vulnerability, please **do not** + report it in the `issue tracker`_ or on the `mailing list`_. Instead, please + follow the `TrustedFirmware.org security incident process`_. + +One of the goals of this process is to ensure providers of products that use +TF-A have a chance to consider the implications of the vulnerability and its +remedy before it is made public. As such, please follow the disclosure plan +outlined in the process. We do our best to respond and fix any issues quickly. Afterwards, we encourage you to write-up your findings about the TF-A source code. -- cgit v1.2.3