From a92720cc2110618450e758856b3a417c3773392d Mon Sep 17 00:00:00 2001
From: Marta Rybczynska <marta.rybczynska@huawei.com>
Date: Wed, 10 Nov 2021 08:12:27 +0100
Subject: [PATCH] SECURITY.md: add to all layers

SECURITY.md is a standard way to include information on how to
report a vulnerability in a project. Add it to all layers that
can be considered a separate work and could be copied by users.

Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com>
---
 SECURITY.md                       | 33 +++++++++++++++++++++++++++++++
 docs/SECURITY.md                  |  1 +
 meta-oniro-blueprints/SECURITY.md |  1 +
 meta-oniro-core/SECURITY.md       |  1 +
 meta-oniro-staging/SECURITY.md    |  1 +
 5 files changed, 37 insertions(+)
 create mode 100644 SECURITY.md
 create mode 120000 docs/SECURITY.md
 create mode 120000 meta-oniro-blueprints/SECURITY.md
 create mode 120000 meta-oniro-core/SECURITY.md
 create mode 120000 meta-oniro-staging/SECURITY.md

diff --git a/SECURITY.md b/SECURITY.md
new file mode 100644
index 00000000..b85a26f3
--- /dev/null
+++ b/SECURITY.md
@@ -0,0 +1,33 @@
+<!--
+SPDX-FileCopyrightText: Huawei Inc.
+
+SPDX-License-Identifier: CC-BY-4.0
+-->
+
+# How to report a vulnerability?
+
+If you think you have found a security issue in our distribution, please
+contact us immediatelly by posting a confidential issue in our bug
+tracker in a [dedicated security project](https://booting.oniroproject.org/security/bugtracker/-/issues).
+
+To do so, login into our issue tracker or create a new account if you do not
+have one yet. Click on `New issue`, then make sure to check the checkbox at
+the bottom
+`This issue is confidential and should only be visible to team members with at least Reporter access`.
+Please use the `Issue` type of ticket and the associated template. Fill in the
+title, answer the questions in the `Description` field. Then click
+`Create issue`.
+
+Your report should contain a description of the issue, the steps you took to
+reproduce the issue (including the image name), affected versions, and,
+if known, any mitigations for the issue.
+
+We plan to add a security-related mailing list and a possibility to send
+GPG-encrypted email in the near future.
+
+We aim to acknowledge the reception within one working day, and responding
+with a first assessment within three working days. We follow a 90 days
+disclosure timeline.
+
+We will be happy to acknowledge your work in the vulnerability
+announcement, and will do so if you do not object.
diff --git a/docs/SECURITY.md b/docs/SECURITY.md
new file mode 120000
index 00000000..4983afb6
--- /dev/null
+++ b/docs/SECURITY.md
@@ -0,0 +1 @@
+SECURITY.md
\ No newline at end of file
diff --git a/meta-oniro-blueprints/SECURITY.md b/meta-oniro-blueprints/SECURITY.md
new file mode 120000
index 00000000..4983afb6
--- /dev/null
+++ b/meta-oniro-blueprints/SECURITY.md
@@ -0,0 +1 @@
+SECURITY.md
\ No newline at end of file
diff --git a/meta-oniro-core/SECURITY.md b/meta-oniro-core/SECURITY.md
new file mode 120000
index 00000000..4983afb6
--- /dev/null
+++ b/meta-oniro-core/SECURITY.md
@@ -0,0 +1 @@
+SECURITY.md
\ No newline at end of file
diff --git a/meta-oniro-staging/SECURITY.md b/meta-oniro-staging/SECURITY.md
new file mode 120000
index 00000000..4983afb6
--- /dev/null
+++ b/meta-oniro-staging/SECURITY.md
@@ -0,0 +1 @@
+SECURITY.md
\ No newline at end of file
-- 
GitLab