Skip to content

Security: tpm2-software/tpm2-tss

SECURITY.md

Security Policy

Supported Versions

Currently supported versions:

Version Supported
>= 2.4.0
< 2.4.0

Reporting a Vulnerability

Use this section to tell people how to report a vulnerability.

Tell them where to go, how often they can expect to get an update on a reported vulnerability, what to expect if the vulnerability is accepted or declined, etc.

Security Reporting Guidelines

Reporting

Security vulnerabilities should be emailed to all members of the MAINTAINERS file to coordinate the disclosure of the vulnerability.

Tracking

When a maintainer is notified of a security vulnerability, they must create a GitHub security advisory per the instructions at:

Maintainers should use the optional feature through GitHub to request a CVE be issued, alternatively RedHat has provided CVE's in the past and may be used, but preference is on GitHub as the issuing CNA.

Publishing

Once ready, maintainers should publish the security vulnerability as outlined in:

As well as ensuring the publishing of the CVE, maintainers shall have new release versions ready to publish at the same time as the CVE. Maintainers should should strive to adhere to a sub 60 say turn around from report to release.

Learn more about advisories related to tpm2-software/tpm2-tss in the GitHub Advisory Database