You can obtain OpenHarmony product security bulletins and disclosure information from the OpenHarmony security bulletins and disclosure page.
We thank all security researchers and users who report security vulnerabilities to the OpenHarmony open-source community. The community conducts a comprehensive investigation on the security vulnerabilities you report.
1. Internal reporting
If a bug in SIG is confirmed as a security vulnerability, the community will change the corresponding issue to a private issue, add the security issue label, and add the priority label as needed. The community security issue response team will periodically check the updates of such issues.
2. External reporting
If a security vulnerability is not on the list of public security vulnerabilities that the OpenHarmony security team has handled, you can handle it as follows:
Email notification:
Please immediately send an email to scy@openharmony.io to notify the security issue response team so that the team can start the patch, release, and announcement processes.We strongly recommend you use the public key to encrypt your mail. After receiving the email, the security issue distributor creates a security issue in the community.
Community issue:
You can create an issue in the community where the issue is found and mark the issue as a security issue
. When creating the issue, select the private issue type.
If necessary, the security issue response team will ask whether you can disclose this issue secretly through the person in charge. If you object, we will adopt the public disclosure method.
The vulnerability rewards of the community are being planned and will be available in the future.
此处可能存在不合适展示的内容,页面不予展示。您可通过相关编辑功能自查并修改。
如您确认内容无涉及 不当用语 / 纯广告导流 / 暴力 / 低俗色情 / 侵权 / 盗版 / 虚假 / 无价值内容或违法国家有关法律法规的内容,可点击提交进行申诉,我们将尽快为您处理。