Lines Matching full:to

9 Vulnerabilities to the Zephyr project may be reported via email to the
13 advisory GitHub_. The original submitter will be granted permission to
22 number of states according to this diagram:
54 response to an email, the issue shall be transitioned directly to
59 entity, assign it to that individual, and move the
60 issue to the Assigned state. Part of triage will be to set the
67 link will be added to a comment in the issue, and the issue moved to
75 vulnerabilities page in the docs updated to include the detailed
78 The security advisories created are kept private, due to the
79 sensitive nature of security reports. The issues are only visible to
97 need to be embargoed.
107 embargo period of at most 90 days. The intent is to allow 30 days
108 within the Zephyr project to fix the issues, and 60 days for external
109 parties building products using Zephyr to be able to apply and
114 Fixes to the code shall be made through pull requests PR in the Zephyr
115 project github. Developers shall make an attempt to not reveal the
116 sensitive nature of what is being fixed, and shall not refer to CVE
117 numbers that have been assigned to the issue. The developer instead
121 CVEs to these PRs (this information is within the Github security
126 assigned a CVE number. As fixes are created, it may be necessary to
127 allocate additional CVE numbers, or to retire numbers that were
137 shall be updated to include additional details of these
138 vulnerabilities. The vulnerability page shall give credit to the
143 member. Additional parties can request to join this list by filling
145 vetted by the project director to determine that they have a
151 Periodically, the security subcommittee will send information to this
153 status within the project. This information is intended to allow them
154 to determine if they need to backport these changes to any internal
167 After acceptance of a PR fixing the issue (merged), in addition to the
177 Each security issue fixed within zephyr shall be backported to the
185 backports, and apply them to any of the above listed release branches,
196 Need to Know
199 Due to the sensitive nature of security vulnerabilities, it is
200 important to share details and fixes only with those parties that have
201 a need to know. The following parties will need to know details about
204 - Maintainers will have access to all information within their domain
211 access to information. The PSIRT is made up of representatives from
215 - As needed, release managers and maintainers may be invited to attend
216 additional security meetings to discuss vulnerabilities.