|
|
@@ -0,0 +1,37 @@
|
|
|
+# Reporting vulnerabilities
|
|
|
+
|
|
|
+Arm takes security issues seriously and welcomes feedback from researchers and
|
|
|
+the security community in order to improve the security of its products and
|
|
|
+services. We operate a coordinated disclosure policy for disclosing
|
|
|
+vulnerabilities and other security issues.
|
|
|
+
|
|
|
+Security issues can be complex and one single timescale doesn't fit all
|
|
|
+circumstances. We will make best endeavours to inform you when we expect
|
|
|
+security notifications and fixes to be available and facilitate coordinated
|
|
|
+disclosure when notifications and patches/mitigations are available.
|
|
|
+
|
|
|
+
|
|
|
+## How to Report a Potential Vulnerability?
|
|
|
+
|
|
|
+If you would like to report a public issue (for example, one with a released CVE
|
|
|
+number), please contact the meta-arm mailing list at
|
|
|
+meta-arm@lists.yoctoproject.org and arm-security@arm.com.
|
|
|
+
|
|
|
+If you are dealing with a not-yet released or urgent issue, please send a mail
|
|
|
+to the maintainers (see README.md) and arm-security@arm.com, including as much
|
|
|
+detail as possible. Encrypted emails using PGP are welcome.
|
|
|
+
|
|
|
+For more information, please visit https://developer.arm.com/support/arm-security-updates/report-security-vulnerabilities.
|
|
|
+
|
|
|
+
|
|
|
+## Branches maintained with security fixes
|
|
|
+
|
|
|
+meta-arm follows the Yocto release model, so see
|
|
|
+[https://wiki.yoctoproject.org/wiki/Stable_Release_and_LTS Stable release and
|
|
|
+LTS] for detailed info regarding the policies and maintenance of stable
|
|
|
+branches.
|
|
|
+
|
|
|
+The [https://wiki.yoctoproject.org/wiki/Releases Release page] contains a list of all
|
|
|
+releases of the Yocto Project. Versions in grey are no longer actively maintained with
|
|
|
+security patches, but well-tested patches may still be accepted for them for
|
|
|
+significant issues.
|
Ross Burton