Z572/grub
1
0
Fork 0
mirror of http://cgit.git.savannah.gnu.org/git/grub.git synced 2026-06-15 23:16:03 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
master
grub/SECURITY
T
Leo Sandoval b07cc37ca6 SECURITY: Update security team members names/fingerprints 
Daniel has stepped down [1] whereas Marta and Leo are joining the security team.

[1] https://lists.gnu.org/archive/html/grub-devel/2026-02/msg00021.html

Signed-off-by: Leo Sandoval <lsandova@redhat.com>
Signed-off-by: Marta Lewandowska <mlewando@redhat.com>
Signed-off-by: Daniel Kiper <daniel.kiper@oracle.com>
Reviewed-by: Andrew Hamilton <adhamilt@gmail.com>
2026-03-13 18:15:37 +01:00

63 lines
2.6 KiB
Plaintext
Raw Permalink Blame History

Security Policy
===============
To report a vulnerability see "Reporting a Vulnerability" below.
Security Incident Policy
========================
Security bug reports are treated with special attention and are handled
differently from normal bugs. In particular, security sensitive bugs are not
handled in public but in private. Information about the bug and access to it
is restricted to people in the security group, the individual engineers that
work on fixing it, and any other person who needs to be involved for organisational
reasons. The process is handled by the security team, which decides on the people
involved in order to fix the issue. It is also guaranteed that the person reporting
the issue has visibility into the process of fixing it. Any security issue gets
prioritized according to its security rating. The issue is opened up to the public
in coordination with the release schedule and the reporter.
Disclosure Policy
=================
Everyone involved in the handling of a security issue - including the reporter -
is required to adhere to the following policy. Any information related to
a security issue must be treated as confidential and only shared with trusted
partners if necessary, for example to coordinate a release or manage exposure
of clients to the issue. No information must be disclosed to the public before
the embargo ends. The embargo time is agreed upon by all involved parties. It
should be as short as possible without putting any users at risk.
Supported Versions
==================
Only the most recent version of the GRUB is supported.
Reporting a Vulnerability
=========================
The security report should be encrypted with the PGP keys and sent to ALL email
addresses listed below. Every vulnerability report will be assessed within
72 hours of receiving it. If the outcome of the assessment is that the report
describes a security issue, the report will be transferred into an issue on the
internal vulnerability project for further processing. The reporter is updated
on each step of the process.
While there's currently no bug bounty program we appreciate every report.
* Contact: Marta Lewandowska <mlewando@redhat.com>
* PGP Key Fingerprint: 5B21 5739 7348 6620 C0FF 7073 DDF0 92F7 4C8F 619B
* Contact: Leonardo Sandoval Gonzalez <lsandova@redhat.com>
* PGP Key Fingerprint: DFB6 2CC1 A987 E6C7 6EBF 8143 916E C070 8CDF DDFD
* Contact: Alex Burmashev <alexander.burmashev@oracle.com>
* PGP Key Fingerprint: 50A4 EC06 EF7E B84D 67E0 3BB6 2AE2 C87E 28EF 2E6E
* Contact: Vladimir 'phcoder' Serbinenko <phcoder@gmail.com>
* PGP Key Fingerprint: E53D 497F 3FA4 2AD8 C9B4 D1E8 35A9 3B74 E82E 4209
Reference in New Issue View Git Blame Copy Permalink