SECURITY - pub/scm/linux/kernel/git/ardb/grub - Git at Google

 Security Policy
 ===============

 To report a vulnerability see "Reporting a Vulnerability" below.


 Security Incident Policy
 ========================

 Security bug reports are treated with special attention and are handled
 differently from normal bugs. In particular, security sensitive bugs are not
 handled in public but in private. Information about the bug and access to it
 is restricted to people in the security group, the individual engineers that
 work on fixing it, and any other person who needs to be involved for organisational
 reasons. The process is handled by the security team, which decides on the people
 involved in order to fix the issue. It is also guaranteed that the person reporting
 the issue has visibility into the process of fixing it. Any security issue gets
 prioritized according to its security rating. The issue is opened up to the public
 in coordination with the release schedule and the reporter.


 Disclosure Policy
 =================

 Everyone involved in the handling of a security issue - including the reporter -
 is required to adhere to the following policy. Any information related to
 a security issue must be treated as confidential and only shared with trusted
 partners if necessary, for example to coordinate a release or manage exposure
 of clients to the issue. No information must be disclosed to the public before
 the embargo ends. The embargo time is agreed upon by all involved parties. It
 should be as short as possible without putting any users at risk.


 Supported Versions
 ==================

 Only the most recent version of the GRUB is supported.


 Reporting a Vulnerability
 =========================

 The security report should be encrypted with the PGP keys and sent to ALL email
 addresses listed below. Every vulnerability report will be assessed within
 72 hours of receiving it. If the outcome of the assessment is that the report
 describes a security issue, the report will be transferred into an issue on the
 internal vulnerability project for further processing. The reporter is updated
 on each step of the process.

 While there's currently no bug bounty program we appreciate every report.

 * Contact: Daniel Kiper <daniel.kiper@oracle.com> and
            Daniel Kiper <dkiper@net-space.pl>
 * PGP Key Fingerprint: BE5C 2320 9ACD DACE B20D  B0A2 8C81 89F1 988C 2166

 * Contact: Alex Burmashev <alexander.burmashev@oracle.com>
 * PGP Key Fingerprint: 50A4 EC06 EF7E B84D 67E0  3BB6 2AE2 C87E 28EF 2E6E

 * Contact: Vladimir 'phcoder' Serbinenko <phcoder@gmail.com>
 * PGP Key Fingerprint: E53D 497F 3FA4 2AD8 C9B4  D1E8 35A9 3B74 E82E 4209
	Security Policy
	===============

	To report a vulnerability see "Reporting a Vulnerability" below.


	Security Incident Policy
	========================

	Security bug reports are treated with special attention and are handled
	differently from normal bugs. In particular, security sensitive bugs are not
	handled in public but in private. Information about the bug and access to it
	is restricted to people in the security group, the individual engineers that
	work on fixing it, and any other person who needs to be involved for organisational
	reasons. The process is handled by the security team, which decides on the people
	involved in order to fix the issue. It is also guaranteed that the person reporting
	the issue has visibility into the process of fixing it. Any security issue gets
	prioritized according to its security rating. The issue is opened up to the public
	in coordination with the release schedule and the reporter.


	Disclosure Policy
	=================

	Everyone involved in the handling of a security issue - including the reporter -
	is required to adhere to the following policy. Any information related to
	a security issue must be treated as confidential and only shared with trusted
	partners if necessary, for example to coordinate a release or manage exposure
	of clients to the issue. No information must be disclosed to the public before
	the embargo ends. The embargo time is agreed upon by all involved parties. It
	should be as short as possible without putting any users at risk.


	Supported Versions
	==================

	Only the most recent version of the GRUB is supported.


	Reporting a Vulnerability
	=========================

	The security report should be encrypted with the PGP keys and sent to ALL email
	addresses listed below. Every vulnerability report will be assessed within
	72 hours of receiving it. If the outcome of the assessment is that the report
	describes a security issue, the report will be transferred into an issue on the
	internal vulnerability project for further processing. The reporter is updated
	on each step of the process.

	While there's currently no bug bounty program we appreciate every report.

	* Contact: Daniel Kiper <daniel.kiper@oracle.com> and
	Daniel Kiper <dkiper@net-space.pl>
	* PGP Key Fingerprint: BE5C 2320 9ACD DACE B20D B0A2 8C81 89F1 988C 2166

	* Contact: Alex Burmashev <alexander.burmashev@oracle.com>
	* PGP Key Fingerprint: 50A4 EC06 EF7E B84D 67E0 3BB6 2AE2 C87E 28EF 2E6E

	* Contact: Vladimir 'phcoder' Serbinenko <phcoder@gmail.com>
	* PGP Key Fingerprint: E53D 497F 3FA4 2AD8 C9B4 D1E8 35A9 3B74 E82E 4209