<title>Security Vulnerability Handling — OpenEcosystem Portal</title>
<link rel="stylesheet" type="text/css" href="../_static/pygments.css" />
<link rel="stylesheet" type="text/css" href="../_static/css/blank.css" />
<link rel="stylesheet" type="text/css" href="../_static/bootstrap-icons/font/bootstrap-icons.css" />
<link rel="stylesheet" type="text/css" href="../_static/dlux-bootstrap/css/dlux.min.css" />
<link rel="stylesheet" type="text/css" href="../_static/OSPO/css/ospo.css" />
<link rel="stylesheet" type="text/css" href="../_static/star-rating.js/dist/star-rating.css" />
<script data-url_root="../" id="documentation_options" src="../_static/documentation_options.js"></script>
<script src="../_static/jquery.js"></script>
<script src="../_static/underscore.js"></script>
<script src="../_static/doctools.js"></script>
<script src="../_static/rss-parser/rss-parser.min.js"></script>
<script src="../_static/OSPO/js/ospo.js"></script>
<script src="../_static/OSPO/js/slider.js"></script>
<script src="../_static/star-rating.js/dist/star-rating.js"></script>
<script src="../_static/dayjs/dayjs.min.js"></script>
<link rel="index" title="Index" href="../genindex.html" />
<link rel="search" title="Search" href="../search.html" />
<link rel="next" title="CVE Management of 3rd Party Components" href="Cvesecuritymanagement.html" />
<link rel="prev" title="Review System" href="Reviewsystem.html" />
<meta name="viewport" content="width=device-width, initial-scale=1" />
<meta name="docsearch:language" content="None">
<!-- Google Analytics -->
<!-- Google tag (gtag.js) -->
<script async src="https://www.googletagmanager.com/gtag/js?id=G-2N6KKNN0T3"></script>
<script>
window.dataLayer = window.dataLayer || [];
function gtag(){dataLayer.push(arguments);}
gtag('js', new Date());
gtag('config', 'G-2N6KKNN0T3');
</script>
<div class="navbar-row sticky-top">
</ul>
</div>
<div class="bd-container">
<!-- Only show if we have sidebars configured, else just a small margin -->
<div class="bd-sidebar"><nav class="bd-links w-100" id="bd-docs-nav" aria-label="Main navigation">
<main class="bd-main">
<div class="content-row h-100" >
<div class="bd-content">
<div class="bd-article-container">
<div id="bodyRow" class="row" role="main">
Where and how to handle a security issue in open source projects can be
confusing. Please review the IPAS policy for open source security
vulnerability handling and SDL Guidance for Open Source and Co-development to fully understand your role and responsibilities. A
developer training to help you better understand your individual role is
available here.
An internal mailing list - oss-security@eclists.intel.com - is available if you require assistance in either understanding your role and responsibilities, or how to handle a vulnerability within a specific project or product.
If you are responsible for a public Intel-owned opensource project you must:
Provide a public security policy that directs users to report security issues to secure@intel.com.
Intel owned projects hosted on GitHub, especially any projects in official Intel GitHub organizations, should include a default
security.mdfile that directs users into IPAS to report any security issues found in that project. Please download the defaultsecurity.mdand include it in the root of your github repository.
Report any security issues identified during development to secure@intel.com
You must work with IPAS to disclose issues and mitigations to your users.
EXCEPTION: Intel staging should refer third-parties to the community project the staging tree feeds into.
If you consume opensource software in an Intel branded product you must:
Ensure that the project is well maintained and can fix and merge issues in a timely way into a regular release cadence.
Ensure that the project(s) has a security issue handling policy that defines:
How security issues will be reported to the project, and whether that method is private or public.
How issues will be disclosed to users, and on what timeline
Report any security issues in projects you consume in released versions of your product to secure@intel.com
NOTE: If you consume critical dependencies from poorly maintained projects without defined security processes, you may be required to either remove the dependency, or mitigate known security vulnerabilities directly within your project.
Intel would like to see a minimal security vulnerability process in place for any upstream community project Intel creates or participates in. That process would ideally include:
A private channel for reporting security issues to the project
A defined timeline for public disclosure of the issue/patches starting from the initial report.
A defined security advisory publication and CVE process.
Projects can request CVEs directly from MITRE
GitHub has a well-defined process for creating security advisories and CVEs
Security issues can be privately disclosed to common Linux distributions through the Openwall Operating system distribution security contact lists if coordinated deployment is required before public disclosure.
An internal mailing list - oss-security@eclists.intel.com - is available if you require assistance in either understanding your role and responsibilities, or how to handle a vulnerability within a specific project or product.
</div>
</div>
</div>
<div class="bd-sidebar-secondary bd-toc">
- Your Roles and Responsibilities
- Intel-Owned Project/Product Responsibilities
- Community Project Expectations
- Revision History
</div>
</div>
</main>
<div class="footer-item">
<div class="col">
<div class="card border-0 m-0 bg-tranparent">
<div class="card-body p-0">
<h4 class="card-title">Our Organization</h4>
<a
class="nav-link" href="
https://intel.sharepoint.com/sites/strategytoexecution/SitePages/Open.Intel.aspx
">Open Ecosystem Org</a>
<a
class="nav-link" href="
https://intel.sharepoint.com/sites/strategytoexecution
">Strategy to Execution (S2E)</a>
<a
class="nav-link" href="
https://intel.sharepoint.com/sites/SATG
">Office of the CTO & SATG</a>
</div>
</div>
</div>
<div class="col">
<div class="card border-0 m-0 bg-tranparent">
<div class="card-body p-0">
<h4 class="card-title">Contact Us</h4>
<a
class="nav-link" href="
https://web.yammer.com/main/org/intel.com/groups/eyJfdHlwZSI6Ikdyb3VwIiwiaWQiOiIxMjczNzU0NDE5MiJ9/new
">Open Ecosystem or content queries</a>
<a
class="nav-link" href="
mailto:stephen.e.ware@intel.com
">Broken links, failed pages...</a>
</div>
</div>
</div>
<div class="col">
<div class="card border-0 m-0 bg-tranparent">
<div class="card-body p-0">
<h4 class="card-title">Rate this page</h4>
<select id="starrating" class="star-rating"
onchange="(() => gtag('event', 'star_rating', { stars: document.getElementById('starrating').value}))()">
<option value="5">Excellent</option>
<option value="4">Very Good</option>
<option value="3">Average</option>
<option value="2">Poor</option>
<option value="1">Terrible</option>
</select>
</div>
</div>
</div>
</div>