@@ -536,186 +536,8 @@ considered and documented.
536536Security Vulnerability Reporting
537537================================
538538
539- Vulnerabilities to the Zephyr project may be reported via email to the
540- [email protected] mailing list. These reports will be
541- acknowledged and analyzed by the security response team within 1 week.
542- Each vulnerability will be entered into the Zephyr Project security
543- tracking JIRA _. The original submitter will be granted permission to
544- view the issues that they have reported.
545-
546- .. _JIRA : https://zephyrprojectsec.atlassian.net/
547-
548- Reporters may also submit reports by directly submitting them to the
549- Zephyr Product security tracking JIRA.
550-
551- Security Issue Management
552- =========================
553-
554- Issues within this bug tracking system will transition through a
555- number of states according to this diagram:
556-
557- .. figure :: media/zepsec-workflow.png
558-
559- - New: This state represents new reports that have been entered
560- directly by a reporter. When entered by the response team in
561- response to an email, the issue shall be transitioned directly to
562- Triage.
563-
564- - Triage: This issue is awaiting Triage by the response team. The
565- response team will analyze the issue, determine a responsible
566- entity, assign the JIRA ticket to that individual, and move the
567- issue to the Assigned state. Part of triage will be to set the
568- issue's priority.
569-
570- - Assigned: The issue has been assigned, and is awaiting a fix by the
571- assignee.
572-
573- - Review: Once there is a Zephyr pull request for the issue, the PR
574- link will be added to a comment in the issue, and the issue moved to
575- the Review state.
576-
577- - Accepted: Indicates that this issue has been merged into the
578- appropriate branch within Zephyr.
579-
580- - Release: The PR has been included in a released version of Zephyr.
581-
582- - Public: The embargo period has ended. The issue will be made
583- publically visible, the associated CVE updated, and the
584- vulnerabilities page in the docs updated to include the detailed
585- information.
586-
587- The issues created in this JIRA instance are kept private, due to the
588- sensitive nature of security reports. The issues are only visible to
589- certain parties:
590-
591- - Members of the PSIRT mailing list
592-
593- - the reporter
594-
595- - others, as proposed and ratified by the Zephyr Security
596- Subcommittee. In the general case, this will include:
597-
598- - The code owner responsible for the fix.
599-
600- - The Zephyr release owners for the relevant releases affected by
601- this vulnerability.
602-
603- The Zephyr Security Subcommittee shall review the reported
604- vulnerabilities during any meeting with more than three people in
605- attendance. During this review, they shall determine if new issues
606- need to be embargoed.
607-
608- The guideline for embargo will be based on: 1. Severity of the issue,
609- and 2. Exploitability of the issue. Issues that the subcommittee
610- decides do not need an embargo will be reproduced in the regular
611- Zephyr project bug tracking system, and a comment added to the JIRA
612- issue pointing to the bug tracking issue. These issues will be marked
613- as being tracked within the Zephyr bug tracking system.
614-
615- Security sensitive vulnerabilities shall be made public after an
616- embargo period of at most 90 days. The intent is to allow 30 days
617- within the Zephyr project to fix the issues, and 60 days for external
618- parties building products using Zephyr to be able to apply and
619- distribute these fixes.
620-
621- Fixes to the code shall be made through pull requests PR in the Zephyr
622- project github. Developers shall make an attempt to not reveal the
623- sensitive nature of what is being fixed, and shall not refer to CVE
624- numbers that have been assigned to the issue. The developer instead
625- should merely describe what has been fixed.
626-
627- The security subcommittee will maintain information mapping embargoed
628- CVEs to these PRs (this information is within the JIRA issues), and
629- produce regular reports of the state of security issues.
630-
631- Each JIRA issue that is considered a security vulnerability shall be
632- assigned a CVE number. As fixes are created, it may be necessary to
633- allocate additional CVE numbers, or to retire numbers that were
634- assigned.
635-
636- Vulnerability Notification
637- ==========================
638-
639- Each Zephyr release shall contain a report of CVEs that were fixed in
640- that release. Because of the sensitive nature of these
641- vulnerabilities, the release shall merely include a list of CVEs that
642- have been fixed. After the embargo period, the vulnerabilities page
643- shall be updated to include additional details of these
644- vulnerabilities. The vulnerability page shall give credit to the
645- reporter(s) unless a reporter specifically requests anonymity.
646-
647- The Zephyr project shall maintain a vulnerability-alerts mailing list.
648- This list will be seeded initially with a contact from each project
649- member. Additional parties can request to join this list by filling
650- out the form at the `Vulnerability Registry `_. These parties will be
651- vetted by the project director to determine that they have a
652- legimitate interest in knowing about security vulnerabilities during
653- the embargo period.
654-
655- .. _Vulnerability Registry : https://www.zephyrproject.org/vulnerability-registry/
656-
657- Periodically, the security subcommittee will send information to this
658- mailing list describing known embargoed issues, and their backport
659- status within the project. This information is intended to allow them
660- to determine if they need to backport these changes to any internal
661- trees.
662-
663- When issues have been triaged, this list will be informed of:
664-
665- - The Zephyr Project security JIRA link (ZEPSEC).
666-
667- - The CVE number assigned.
668-
669- - The subsystem involved.
670-
671- - The severity of the issue.
672-
673- After acceptance of a PR fixing the issue (merged), in addition to the
674- above, the list will be informed of:
675-
676- - The association between the CVE number and the PR fixing it.
677-
678- - Backport plans within the Zephyr project.
679-
680- Backporting of Security Vulnerabilities
681- =======================================
682-
683- Each security issue fixed within zephyr shall be backported to the
684- following releases:
685-
686- - The current Long Term Stable (LTS) release.
687-
688- - The most recent two releases.
689-
690- The developer of the fix shall be responsible for any necessary
691- backports, and apply them to any of the above listed release branches,
692- unless the fix does not apply (the vulnerability was introduced after
693- this release was made).
694-
695- Backports will be tracked on the security JIRA instance using a
696- subtask issue of type "backport".
697-
698- Need to Know
699- ============
700-
701- Due to the sensitive nature of security vulnerabilities, it is
702- important to share details and fixes only with those parties that have
703- a need to know. The following parties will need to know details about
704- security vulnerabilities before the embargo period ends:
705-
706- - Maintainers will have access to all information within their domain
707- area only.
708-
709- - The current release manager, and the release manager for historical
710- releases affected by the vulnerability (see backporting above).
711-
712- - The Project Security Incident Response (PSIRT) team will have full
713- access to information. The PSIRT is made up of representatives from
714- platinum members, and volunteers who do work on triage from other
715- members.
716-
717- - As needed, release managers and maintainers may be invited to attend
718- additional security meetings to discuss vulnerabilties.
539+ Please see :ref: `reporting ` for information on reporting security
540+ vulnerabilities.
719541
720542Threat Modeling and Mitigation
721543==============================
0 commit comments