If you think you have found a security vulnerability in Linaro Forge or the License Server, then please send an email to the Linaro Product Security Incident Team (PSIRT) at psirt@linaro.org. The PSIRT is referred to from now on as “us/we/our”. We will do our best to respond and fix any issues as soon as possible.
As with any bug, the more information you provide, the easier it is to diagnose and fix. Any exploit code is very helpful, please include it with your report if available.
Please let us know your disclosure plans if you have any. This may affect our disclosure plan as described in the next section.
Please indicate any sensitive information you do not wish us to share. We reserve the right to share any information you provide with trusted third parties and eventually the public unless you request otherwise.
If we consider the bug not to be a security vulnerability, we will inform you and direct the bug to the normal support process.
The Linaro Forge PSIRT adheres to the following process:
When a potential vulnerability report is received by us, we will assess it to understand the potential product impact:
1. If we can reproduce the potential vulnerability, then we carry out the remaining process through to disclosure.
2. If we can not reproduce the vulnerability, we will inform you and close the report.
3. If we consider the report not to be a security vulnerability, we will inform you and direct the bug to the normal support process.
We will make a risk-based decision as to whether the vulnerability will be remediated in the product or if the vulnerability will be addressed through other means, for example risk acceptance or transference (such as configuration changes).
We will determine if and how the vulnerability can be temporarily mitigated, before providing a permanent solution.
If we decided in the risk assessment that the vulnerability will be remediated in the product, we will fix the vulnerability as soon as possible. We will work with you if the fix can be provided as a hotfix, in a monthly support release or due the impact/risk, in a major release.
We will communicate vulnerability information as appropriate, for example by notifying affected customers only or by publishing a public security advisory. We will also perform retrospective work and incorporated learnings from any vulnerability in our processes and products.