On Thu, Apr 04, 2019 at 02:44:35PM +0000, Dan Handley via TSC wrote:
If you think you have found a security vulnerability, then please send an email to the Trusted Firmware security team at <[1]security@trusted-firmware.org>. This is a private team of security officers who will help verify the security vulnerability, develop and release a fix, and disclose the vulnerability details responsibly. Please give us time to implement the disclosure plan described in the next section before going public. We do our best to respond and fix any issues quickly.
I realize that the Linux docs don't mention encryption here, but there will probably be some reporters that will want to send encrypted email. It might be a good idea to have a few people on this list that have well-known PGP keys, and can respond to those people with what key to send a sensitive report to.
David