Skip to content

Security: tpm2-software/tpm2-tools

docs/SECURITY.md

Security Policy

Supported Versions

Currently supported versions:

Version Supported
< 5.0
>= 5.0

Reporting a Vulnerability

Reporting

Security vulnerabilities can be disclosed in one of two ways:

  • GitHub: preferred By following these instructions.
  • Email: A descirption should be emailed to all members of the MAINTAINERS file to coordinate the disclosure of the vulnerability.

Tracking

When a maintainer is notified of a security vulnerability, they must create a GitHub security advisory per the instructions at:

Maintainers should use the optional feature through GitHub to request a CVE be issued, alternatively RedHat has provided CVE's in the past and may be used, but preference is on GitHub as the issuing CNA.

Publishing

Once ready, maintainers should publish the security vulnerability as outlined in:

As well as ensuring the publishing of the CVE, maintainers shall have new release versions ready to publish at the same time as the CVE. Maintainers should should strive to adhere to a sub 60 say turn around from report to release.

Learn more about advisories related to tpm2-software/tpm2-tools in the GitHub Advisory Database