diff --git a/MAINTAINERS b/MAINTAINERS index 9eff2b8ab..45e870c78 100644 --- a/MAINTAINERS +++ b/MAINTAINERS @@ -8,6 +8,10 @@ Here is the list of current GRUB maintainers: The maintainers drive and overlook the GRUB development. +If you found a security vulnerability in the GRUB please check the SECURITY +file to get more information how to properly report this kind of bugs to +the maintainers. + The GRUB development happens on the grub-devel mailing list [1]. The latest GRUB source code is available at Savannah git repository [2]. diff --git a/README b/README index b1aa79723..49ce15ea3 100644 --- a/README +++ b/README @@ -9,6 +9,10 @@ GRUB 2 data and program files. See the file MAINTAINERS for information about the GRUB maintainers, etc. +If you found a security vulnerability in the GRUB please check the SECURITY +file to get more information how to properly report this kind of bugs to +the maintainers. + Please visit the official web page of GRUB 2, for more information. The URL is . diff --git a/SECURITY b/SECURITY new file mode 100644 index 000000000..1c3e8ef36 --- /dev/null +++ b/SECURITY @@ -0,0 +1,60 @@ +Security Policy +=============== + +To report a vulnerability see "Reporting a Vulnerability" below. + + +Security Incident Policy +======================== + +Security bug reports are treated with special attention and are handled +differently from normal bugs. In particular, security sensitive bugs are not +handled in public but in private. Information about the bug and access to it +is restricted to people in the security group, the individual engineers that +work on fixing it, and any other person who needs to be involved for organisational +reasons. The process is handled by the security team, which decides on the people +involved in order to fix the issue. It is also guaranteed that the person reporting +the issue has visibility into the process of fixing it. Any security issue gets +prioritized according to its security rating. The issue is opened up to the public +in coordination with the release schedule and the reporter. + + +Disclosure Policy +================= + +Everyone involved in the handling of a security issue - including the reporter - +is required to adhere to the following policy. Any information related to +a security issue must be treated as confidential and only shared with trusted +partners if necessary, for example to coordinate a release or manage exposure +of clients to the issue. No information must be disclosed to the public before +the embargo ends. The embargo time is agreed upon by all involved parties. It +should be as short as possible without putting any users at risk. + + +Supported Versions +================== + +Only the most recent version of the GRUB is supported. + + +Reporting a Vulnerability +========================= + +The security report should be encrypted with the PGP keys and sent to ALL email +addresses listed below. Every vulnerability report will be assessed within +72 hours of receiving it. If the outcome of the assessment is that the report +describes a security issue, the report will be transferred into an issue on the +internal vulnerability project for further processing. The reporter is updated +on each step of the process. + +While there's currently no bug bounty program we appreciate every report. + +* Contact: Daniel Kiper and + Daniel Kiper +* PGP Key Fingerprint: BE5C 2320 9ACD DACE B20D B0A2 8C81 89F1 988C 2166 + +* Contact: Alex Burmashev +* PGP Key Fingerprint: 50A4 EC06 EF7E B84D 67E0 3BB6 2AE2 C87E 28EF 2E6E + +* Contact: Vladimir 'phcoder' Serbinenko +* PGP Key Fingerprint: E53D 497F 3FA4 2AD8 C9B4 D1E8 35A9 3B74 E82E 4209