Lines Matching full:the

9 Vulnerabilities to the Zephyr project may be reported via email to the
11 acknowledged and analyzed by the security response team within 1 week.
12 Each vulnerability will be entered into the Zephyr Project security
13 advisory GitHub_.  The original submitter will be granted permission to
14 view the issues that they have reported.
53   directly by a reporter.  When entered by the response team in
54   response to an email, the issue shall be transitioned directly to
57 - Triage: This issue is awaiting Triage by the response team.  The
58   response team will analyze the issue, determine a responsible
59   entity, assign it to that individual, and move the
60   issue to the Assigned state.  Part of triage will be to set the
63 - Assigned: The issue has been assigned, and is awaiting a fix by the
66 - Review: Once there is a Zephyr pull request for the issue, the PR
67   link will be added to a comment in the issue, and the issue moved to
68   the Review state.
70 - Accepted: Indicates that this issue has been merged into the
73 - Public: The embargo period has ended.  The issue will be made
74   publicly visible, the associated CVE updated, and the
75   vulnerabilities page in the docs updated to include the detailed
78 The security advisories created are kept private, due to the
79 sensitive nature of security reports.  The issues are only visible to
82 - Members of the PSIRT mailing list
84 - the reporter
86 - others, as proposed and ratified by the Zephyr Security
87   Subcommittee.  In the general case, this will include:
89   - The code owner responsible for the fix.
91   - The Zephyr release owners for the relevant releases affected by
94 The Zephyr Security Subcommittee shall review the reported
99 The guideline for embargo will be based on: 1. Severity of the issue,
100 and 2. Exploitability of the issue.  Issues that the subcommittee
101 decides do not need an embargo will be reproduced in the regular
107 embargo period of at most 90 days.  The intent is to allow 30 days
108 within the Zephyr project to fix the issues, and 60 days for external
114 Fixes to the code shall be made through pull requests PR in the Zephyr
115 project github.  Developers shall make an attempt to not reveal the
117 numbers that have been assigned to the issue.  The developer instead
120 The security subcommittee will maintain information mapping embargoed
121 CVEs to these PRs (this information is within the Github security
122 advisories), and produce regular reports of the state of security
134 that release.  Because of the sensitive nature of these
135 vulnerabilities, the release shall merely include a list of CVEs that
136 have been fixed.  After the embargo period, the vulnerabilities page
138 vulnerabilities.  The vulnerability page shall give credit to the
141 The Zephyr project shall maintain a vulnerability-alerts mailing list.
144 out the form at the `Vulnerability Registry`_.  These parties will be
145 vetted by the project director to determine that they have a
147 the embargo period.
151 Periodically, the security subcommittee will send information to this
153 status within the project.  This information is intended to allow them
159 - The Zephyr Project security advisory link (GitHub).
161 - The CVE number assigned.
163 - The subsystem involved.
165 - The severity of the issue.
167 After acceptance of a PR fixing the issue (merged), in addition to the
168 above, the list will be informed of:
170 - The association between the CVE number and the PR fixing it.
172 - Backport plans within the Zephyr project.
177 Each security issue fixed within zephyr shall be backported to the
180 - The current Long Term Stable (LTS) release.
182 - The most recent two releases.
184 The developer of the fix shall be responsible for any necessary
185 backports, and apply them to any of the above listed release branches,
186 unless the fix does not apply (the vulnerability was introduced after
190 recommended that the developer privately informs the responsible
191 release manager that the backport pull request and issue are addressing
194 Backports will be tracked on the security advisory.
199 Due to the sensitive nature of security vulnerabilities, it is
201 a need to know.  The following parties will need to know details about
202 security vulnerabilities before the embargo period ends:
207 - The current release manager, and the release manager for historical
208   releases affected by the vulnerability (see backporting above).
210 - The Project Security Incident Response (PSIRT) team will have full
211   access to information.  The PSIRT is made up of representatives from