Redirect security incident report to TrustedFirmware.org
All projects under the TrustedFirmware.org project now use the same
security incident process, therefore update the disclosure/vulnerability
reporting information in the TF-A documentation.
------------------------------------------------------------------------
/!\ IMPORTANT /!\
Please note that the email address to send these reports to has changed.
Please do *not* use trusted-firmware-security@arm.com anymore.
Similarly, the PGP key provided to encrypt emails to the security email
alias has changed as well. Please do *not* use the former one provided
in the TF-A source tree. It is recommended to remove it from your
keyring to avoid any mistake. Please use the new key provided on
TrustedFirmware.org from now on.
------------------------------------------------------------------------
Change-Id: I14eb61017ab99182f1c45d1e156b96d5764934c1
Signed-off-by: Sandrine Bailleux <sandrine.bailleux@arm.com>
diff --git a/docs/process/security.rst b/docs/process/security.rst
index c3935da..516eb98 100644
--- a/docs/process/security.rst
+++ b/docs/process/security.rst
@@ -20,40 +20,13 @@
Although we try to keep TF-A secure, we can only do so with the help of the
community of developers and security researchers.
-If you think you have found a security vulnerability, please **do not** report it
-in the `issue tracker`_. Instead send an email to
-trusted-firmware-security@arm.com
-
-Please include:
-
-* Trusted Firmware-A version (or commit) affected
-
-* A description of the concern or vulnerability
-
-* Details on how to replicate the vulnerability, including:
-
- - Configuration details
-
- - Proof of concept exploit code
-
- - Any additional software or tools required
-
-We recommend using :download:`this PGP/GPG key <./security-reporting.asc>` for
-encrypting the information. This key is also available at
-http://keyserver.pgp.com and LDAP port 389 of the same server.
-
-The fingerprint for this key is:
-
-::
-
- 1309 2C19 22B4 8E87 F17B FE5C 3AB7 EFCB 45A0 DFD0
-
-If you would like replies to be encrypted, please provide your public key.
-
-Please give us the time to respond to you and fix the vulnerability before going
-public. We do our best to respond and fix any issues quickly. We also need to
-ensure providers of products that use TF-A have a chance to consider the
-implications of the vulnerability and its remedy.
+If you think you have found a security vulnerability, please **do not** report
+it in the `issue tracker`_. Instead, please follow the `TrustedFirmware.org
+security incident process`_. One of the goals of this process is to ensure
+providers of products that use TF-A have a chance to consider the implications
+of the vulnerability and its remedy before it is made public. As such, please
+follow the disclosure plan outlined in the process. We do our best to respond
+and fix any issues quickly.
Afterwards, we encourage you to write-up your findings about the TF-A source
code.
@@ -61,8 +34,8 @@
Attribution
-----------
-We will name and thank you in the :ref:`Change Log & Release Notes` distributed with the source
-code and in any published security advisory.
+We will name and thank you in the :ref:`Change Log & Release Notes` distributed
+with the source code and in any published security advisory.
Security Advisories
-------------------
@@ -96,7 +69,6 @@
+-----------+------------------------------------------------------------------+
.. _issue tracker: https://developer.trustedfirmware.org/project/board/1/
-.. _this PGP/GPG key: security-reporting.asc
.. |TFV-1| replace:: :ref:`Advisory TFV-1 (CVE-2016-10319)`
.. |TFV-2| replace:: :ref:`Advisory TFV-2 (CVE-2017-7564)`
@@ -107,6 +79,8 @@
.. |TFV-7| replace:: :ref:`Advisory TFV-7 (CVE-2018-3639)`
.. |TFV-8| replace:: :ref:`Advisory TFV-8 (CVE-2018-19440)`
+.. _TrustedFirmware.org security incident process: https://developer.trustedfirmware.org/w/collaboration/security_center/
+
--------------
-*Copyright (c) 2019, Arm Limited. All rights reserved.*
+*Copyright (c) 2019-2020, Arm Limited. All rights reserved.*