If you have a potential security vulnerability, disclosing it publicly without review could pose a potential risk to systems and people through compromised hardware or software. The OpenBMC security response team exists to have a place to discuss fixes privately for a time before public disclosure.

If you have a potential security issue contact the security response team at openbmc-security@lists.ozlabs.org. In your email, include:

• The security issue in question, including a basic justification of why this is a security issue.
• Which platform this was reproduced on. Please do not specify "all".
• A script or example of how to reproduce the bug. Please ensure that this example runs against a BMC.
• Quotes from any relevant specifications governing this vulnerability.
• A proposed patch to solve the issue.
• Your legal name so if this is disclosed, we can credit the author.

The details of the vulnerability must be disclosed in the body of the email, and pertain only to the issue found. The body of the email must be written as plain-text. Vulnerability reports must not be provided in binary attachments, such as PDFs, compressed archives, etc. Such attachments will be disregarded.

Please also ensure prior to submission that your issue reproduces on the target platform from a commit on the openbmc/master branch less than a week prior to submission. If you've found multiple issues, please make sure that you send one email per issue.

Once received, the security response team will privately elect an "issue lead". This issue lead may be elected based on who has the most knowledge of the subject area, but won't necessarily be the repository owner. This will happen within 10 days of the security report.

Once an issue lead has been determined, they will:

• Make a preliminary analysis of the security issue.
• Propose a patch to fix the issue.
• Tag and work with the appropriate maintainers and subject matter experts in the email thread above.
• If appropriate, assign a CVE number and/or Github disclosure at the conclusion.

Please refer to the CERT Guide to Coordinated Vulnerability Disclosure, (SPECIAL REPORT CMU/SEI-2017-SR-022) for additional considerations.

For issues that do not present a security issue on a real system, or cannot be reproduced, but otherwise might be an improvement to the code, please follow the normal contributor process and submit your fixes to the appropriate repository.

• Join the OpenBMC community on one of the existing OpenBMC communication channels.