hartmannathan commented on code in PR #17583: URL: https://github.com/apache/nuttx/pull/17583#discussion_r2651219339
########## Documentation/security.rst: ########## @@ -0,0 +1,158 @@ +======== +Security +======== + +.. toctree:: + +Known vulnerabilities +===================== + +Apache NuttX RTOS vulnerabilities are labelled with CVE (Common +Vulnerabilities and Exposures) identifiers. List of known, responsibly +disclosed, and fixed vulnerabilities are publicly available online at +`CVE.ORG <https://www.cve.org/CVERecord/SearchResults?query=nuttx>`_. +Offline bundled version is located at the bottom of this page in the +`NuttX CVEs`_ section. + +Reporting Vulnerabilities +========================= + +Security related issues are handled in compliance with +`The Apache Security Team Guide <https://www.apache.org/security/>`_ +and `Apache Committers Security Guide +<https://www.apache.org/security/committers.html>`_. +Please read these documents carefully before submitting and/or +handling a security vulnerability. + +.. warning:: + Do not enter details of security vulnerabilities in a project's public + bug tracker, issues, or pull requests. Do not make information about + the vulnerability public until it is formally announced at the end + of this process. Messages associated with any commits should not make + any reference to the security nature of the commit. + + +Below is an extract of the most important information: + +1. Please report potential security vulnerabilities over email to + [email protected] and [email protected] **before disclosing + them in any public form**. This enables responsible disclosure by + providing a fix for everyone impacted before details are made public. + +2. Please send one plain-text, unencrypted, email for each vulnerability + you are reporting. We may ask you to resubmit your report if you send + it as an image, movie, HTML, or PDF attachment when you could as easily + describe it with plain text. + +3. Do not enter details of security vulnerabilities in a project's public + bug tracker, issues, or pull requests. Do not make information about + the vulnerability public until it is formally announced at the end + of this process. Messages associated with any commits should not make + any reference to the security nature of the commit. + +4. Security fixes are usually part of the standard release cycle, but for + urgent cases special patch releases may be created to address the issue. + In order to keep this process smooth please provide us with as much + details as possible. **Reproducible examples, proof-of-concept code, + but most importanly fix patches are more than welcome.** Review Comment: ```suggestion but most importantly fix patches are more than welcome.** ``` -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
