<!--
SPDX-FileCopyrightText: Huawei Inc.

SPDX-License-Identifier: CC-BY-4.0
-->

# How to report a vulnerability?

If you think you have found a security issue in our distribution, please
contact us immediatelly by posting a confidential issue in our bug
tracker in a [dedicated security project](https://booting.oniroproject.org/security/bugtracker/-/issues).

To do so, login into our issue tracker or create a new account if you do not
have one yet. Click on `New issue`, then make sure to check the checkbox at
the bottom
`This issue is confidential and should only be visible to team members with at least Reporter access`.
Please use the `Issue` type of ticket and the associated template. Fill in the
title, answer the questions in the `Description` field. Then click
`Create issue`.

Your report should contain a description of the issue, the steps you took to
reproduce the issue (including the image name), affected versions, and,
if known, any mitigations for the issue.

We plan to add a security-related mailing list and a possibility to send
GPG-encrypted email in the near future.

We aim to acknowledge the reception within one working day, and responding
with a first assessment within three working days. We follow a 90 days
disclosure timeline.

We will be happy to acknowledge your work in the vulnerability
announcement, and will do so if you do not object.