On Thu, Apr 04, 2019 at 02:44:35PM +0000, Dan Handley via TSC wrote:
If you think you have found a security vulnerability, then please send an email to the Trusted Firmware security team at <[1]security@trusted-firmware.org>. This is a private team of security officers who will help verify the security vulnerability, develop and release a fix, and disclose the vulnerability details responsibly. Please give us time to implement the disclosure plan described in the next section before going public. We do our best to respond and fix any issues quickly.
I realize that the Linux docs don't mention encryption here, but there will probably be some reporters that will want to send encrypted email. It might be a good idea to have a few people on this list that have well-known PGP keys, and can respond to those people with what key to send a sensitive report to.
David
Thanks David
-----Original Message----- From: David Brown david.brown@linaro.org Sent: 04 April 2019 16:27
On Thu, Apr 04, 2019 at 02:44:35PM +0000, Dan Handley via TSC wrote:
If you think you have found a security vulnerability, then please send an email to the Trusted Firmware security team at <[1]security@trusted-
firmware.org>.
This is a private team of security officers who will help verify the security vulnerability, develop and release a fix, and disclose the vulnerability details responsibly. Please give us time to implement the disclosure plan described in the next section before going public. We do our best to respond and fix any issues quickly.
I realize that the Linux docs don't mention encryption here, but there will probably be some reporters that will want to send encrypted email. It might be a good idea to have a few people on this list that have well-known PGP keys, and can respond to those people with what key to send a sensitive report to.
I'm fine with having a PGP key for the security team alias to use for communication between the reporter and the security team. We already have this for TF-A. The problem I see is keeping that communication encrypted as it is passed around stakeholders. If it's considered acceptable for the latter communication to happen in the clear (which I guess we'd have to admit to in the process), then that works for me.
Regards
Dan.
IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.
-
Dan Handley -
David Brown