1 files changed, 66 insertions, 0 deletions
diff --git a/embassy-mcxa/SECURITY.md b/embassy-mcxa/SECURITY.md
new file mode 100644
index 000000000..5357b8824
--- /dev/null
+++ b/embassy-mcxa/SECURITY.md
@@ -0,0 +1,66 @@
+# Vulnerability Disclosure and Embargo Policy
+The Open Device Partnership project welcomes the responsible disclosure of vulnerabilities.
+## Initial Contact
+All security bugs in Open Device Partnership should be reported to the security team.
+To do so, please reach out in the form of a
+[Github Security Advisory](https://docs.github.com/en/code-security/security-advisories/guidance-on-reporting-and-writing-information-about-vulnerabilities).
+You will be invited to join this private area to discuss specifics. Doing so
+allows us to start with a high level of confidentiality and relax it if the
+issue is less critical, moving to work on the fix in the open.
+Your initial contact will be acknowledged within 48 hours, and you’ll receive
+a more detailed response within 96 hours indicating the next steps in handling
+your report.
+After the initial reply to your report, the security team will endeavor to
+keep you informed of the progress being made towards a fix and full
+announcement. As recommended by
+[RFPolicy](https://dl.packetstormsecurity.net/papers/general/rfpolicy-2.0.txt),
+these updates will be sent at least every five working days.
+## Disclosure Policy
+The Open Device Partnership project has a 5 step disclosure process.
+1. Contact is established, a private channel created, and the security report
+   is received and is assigned a primary handler. This person will coordinate
+   the fix and release process.
+2. The problem is confirmed and a list of all affected versions is determined.
+   If an embargo is needed (see below), details of the embargo are decided.
+3. Code is audited to find any potential similar problems.
+4. Fixes are prepared for all releases which are still under maintenance. In
+   case of embargo, these fixes are not committed to the public repository but
+   rather held in a private fork pending the announcement.
+5. The changes are pushed to the public repository and new builds are deployed.
+This process can take some time, especially when coordination is required
+with maintainers of other projects. Every effort will be made to handle the bug
+in as timely a manner as possible, however it is important that we follow the
+release process above to ensure that the disclosure is handled in a consistent
+manner.
+## Embargoes
+While the Open Device Partnership project aims to follow the highest standards of
+transparency and openness, handling some security issues may pose such an
+immediate threat to various stakeholders and require coordination between
+various actors that it cannot be made immediately public.
+In this case, security issues will fall under an embargo.
+An embargo can be called for in various cases:
+- when disclosing the issue without simultaneously providing a mitigation
+  would seriously endanger users,
+- when producing a fix requires coordinating between multiple actors (such as
+  upstream or downstream/dependency projects), or simply
+- when proper analysis of the issue and its ramifications demands time.
+If we determine that an issue you report requires an embargo, we will discuss
+this with you and try to find a reasonable expiry date (aka “embargo
+completion date”), as well as who should be included in the list of
+need-to-know people.

diff --git a/embassy-mcxa/SECURITY.md b/embassy-mcxa/SECURITY.md new file mode 100644 index 000000000..5357b8824 --- /dev/null +++ b/embassy-mcxa/SECURITY.md
@@ -0,0 +1,66 @@
	1	# Vulnerability Disclosure and Embargo Policy
	2
	3	The Open Device Partnership project welcomes the responsible disclosure of vulnerabilities.
	4
	5	## Initial Contact
	6
	7	All security bugs in Open Device Partnership should be reported to the security team.
	8	To do so, please reach out in the form of a
	9	[Github Security Advisory](https://docs.github.com/en/code-security/security-advisories/guidance-on-reporting-and-writing-information-about-vulnerabilities).
	10
	11	You will be invited to join this private area to discuss specifics. Doing so
	12	allows us to start with a high level of confidentiality and relax it if the
	13	issue is less critical, moving to work on the fix in the open.
	14
	15	Your initial contact will be acknowledged within 48 hours, and you’ll receive
	16	a more detailed response within 96 hours indicating the next steps in handling
	17	your report.
	18
	19	After the initial reply to your report, the security team will endeavor to
	20	keep you informed of the progress being made towards a fix and full
	21	announcement. As recommended by
	22	[RFPolicy](https://dl.packetstormsecurity.net/papers/general/rfpolicy-2.0.txt),
	23	these updates will be sent at least every five working days.
	24
	25	## Disclosure Policy
	26
	27	The Open Device Partnership project has a 5 step disclosure process.
	28
	29	1. Contact is established, a private channel created, and the security report
	30	is received and is assigned a primary handler. This person will coordinate
	31	the fix and release process.
	32	2. The problem is confirmed and a list of all affected versions is determined.
	33	If an embargo is needed (see below), details of the embargo are decided.
	34	3. Code is audited to find any potential similar problems.
	35	4. Fixes are prepared for all releases which are still under maintenance. In
	36	case of embargo, these fixes are not committed to the public repository but
	37	rather held in a private fork pending the announcement.
	38	5. The changes are pushed to the public repository and new builds are deployed.
	39
	40	This process can take some time, especially when coordination is required
	41	with maintainers of other projects. Every effort will be made to handle the bug
	42	in as timely a manner as possible, however it is important that we follow the
	43	release process above to ensure that the disclosure is handled in a consistent
	44	manner.
	45
	46	## Embargoes
	47
	48	While the Open Device Partnership project aims to follow the highest standards of
	49	transparency and openness, handling some security issues may pose such an
	50	immediate threat to various stakeholders and require coordination between
	51	various actors that it cannot be made immediately public.
	52
	53	In this case, security issues will fall under an embargo.
	54
	55	An embargo can be called for in various cases:
	56
	57	- when disclosing the issue without simultaneously providing a mitigation
	58	would seriously endanger users,
	59	- when producing a fix requires coordinating between multiple actors (such as
	60	upstream or downstream/dependency projects), or simply
	61	- when proper analysis of the issue and its ramifications demands time.
	62
	63	If we determine that an issue you report requires an embargo, we will discuss
	64	this with you and try to find a reasonable expiry date (aka “embargo
	65	completion date”), as well as who should be included in the list of
	66	need-to-know people.