Vulnerability handling processes¶

Reporting¶

Follow the Linaro security policy, also referred to by security.txt file (as per RFC 9116).

If you think you have found a security vulnerability in the TuxSuite product or in its infrastructure, then please send an email to the Linaro Product Security Incident Team (PSIRT) at psirt@linaro.org. The PSIRT is referred to from now on as “us/we/our”. We will do our best to respond and fix any issues as soon as possible.

As with any bug, the more information you give, the easier it is to diagnose and fix. Any exploit code is helpful, include it with your report if available.

Let us know your disclosure plans if you have any. This might affect our disclosure plan as described in the next section.

Indicate any sensitive information you do not want us to share. We reserve the right to share any information you give with trusted third parties and eventually the public unless you request otherwise.

If we consider the bug not to be a security vulnerability, we will inform you and direct the bug to the normal support process.

Process¶

The Linaro PSIRT adheres to the following process:

Triage¶

When a potential vulnerability report is received by us, we will assess it to understand the potential product impact:

If we can reproduce the potential vulnerability, then we carry out the remaining process through to disclosure.
If we cannot reproduce the vulnerability, we will inform you and close the report.
If we consider the report not to be a security vulnerability, we will inform you and direct the bug to the normal support process.

Risk assessment¶

We will make a risk-based decision whether the vulnerability will be remediated in the product or if the vulnerability will be addressed through other means, for example, risk acceptance or transference (such as configuration changes).

Temporary remediation¶

We will decide if and how the vulnerability can be temporarily mitigated, before providing a permanent solution.

Permanent solution¶

If we decided in the risk assessment that the vulnerability will be remediated in the product, we will fix the vulnerability as soon as possible. We will work with you if the fix can be provided as a hotfix, or due the impact/risk, in a major release.

Disclosure¶

We will communicate vulnerability information as appropriate, for example, by notifying affected customers only or by publishing a public security advisory.

We will also perform retrospective work and incorporated lessons learned from any vulnerability in our processes and products.

Frequently asked questions¶

1. Do you have a bug bounty program?
We currently don’t have any bug bounty program.

2. Your Domain-based Message Authentication, Reporting and Conformance (DMARC) records aren’t properly configured.
We are aware of this and believe we have enough settings in place. However, if you find that this still is exploitable, don’t hesitate to reach out to us.