diff mbox series

Add SECURITY.md

Message ID 20240318133730.3207078-1-ross.burton@arm.com
State New
Headers show
Series Add SECURITY.md | expand

Commit Message

Ross Burton March 18, 2024, 1:37 p.m. UTC
From: Ross Burton <ross.burton@arm.com>

---
 SECURITY.md | 37 +++++++++++++++++++++++++++++++++++++
 1 file changed, 37 insertions(+)
 create mode 100644 SECURITY.md

Comments

Jon Mason March 18, 2024, 6:25 p.m. UTC | #1
On Mon, 18 Mar 2024 13:37:30 +0000, ross.burton@arm.com wrote:
> 
> 

Applied, thanks!

[1/1] Add SECURITY.md
      commit: c93a1459dafa86a0bef346e95f688e7c32bc5eef

Best regards,
diff mbox series

Patch

diff --git a/SECURITY.md b/SECURITY.md
new file mode 100644
index 00000000..0fa6cbcd
--- /dev/null
+++ b/SECURITY.md
@@ -0,0 +1,37 @@ 
+# Reporting vulnerabilities
+
+Arm takes security issues seriously and welcomes feedback from researchers and
+the security community in order to improve the security of its products and
+services. We operate a coordinated disclosure policy for disclosing
+vulnerabilities and other security issues.
+
+Security issues can be complex and one single timescale doesn't fit all
+circumstances. We will make best endeavours to inform you when we expect
+security notifications and fixes to be available and facilitate coordinated
+disclosure when notifications and patches/mitigations are available.
+
+
+## How to Report a Potential Vulnerability?
+
+If you would like to report a public issue (for example, one with a released CVE
+number), please contact the meta-arm mailing list at
+meta-arm@lists.yoctoproject.org and arm-security@arm.com.
+
+If you are dealing with a not-yet released or urgent issue, please send a mail
+to the maintainers (see README.md) and arm-security@arm.com, including as much
+detail as possible.  Encrypted emails using PGP are welcome.
+
+For more information, please visit https://developer.arm.com/support/arm-security-updates/report-security-vulnerabilities.
+
+
+## Branches maintained with security fixes
+
+meta-arm follows the Yocto release model, so see
+[https://wiki.yoctoproject.org/wiki/Stable_Release_and_LTS Stable release and
+LTS] for detailed info regarding the policies and maintenance of stable
+branches.
+
+The [https://wiki.yoctoproject.org/wiki/Releases Release page] contains a list of all
+releases of the Yocto Project. Versions in grey are no longer actively maintained with
+security patches, but well-tested patches may still be accepted for them for
+significant issues.