OpenHarmony Security and Disclosure Statement

Security Bulletins

You can obtain OpenHarmony product security bulletins and disclosure information from the OpenHarmony security bulletins and disclosure page.

Reporting Vulnerabilities

We thank all security researchers and users who report security vulnerabilities to the OpenHarmony open-source community. The community conducts a comprehensive investigation on the security vulnerabilities you report.

1. Internal reporting

If a bug in SIG is confirmed as a security vulnerability, the community will change the corresponding issue to a private issue, add the security issue label, and add the priority label as needed. The community security issue response team will periodically check the updates of such issues.

2. External reporting

If a security vulnerability is not on the list of public security vulnerabilities that the OpenHarmony security team has handled, you can handle it as follows:

Email notification: Please immediately send an email to scy@openharmony.io to notify the security issue response team so that the team can start the patch, release, and announcement processes.We strongly recommend you use the public key to encrypt your mail. After receiving the email, the security issue distributor creates a security issue in the community.

Community issue: You can create an issue in the community where the issue is found and mark the issue as a security issue. When creating the issue, select the private issue type.

If necessary, the security issue response team will ask whether you can disclose this issue secretly through the person in charge. If you object, we will adopt the public disclosure method.

The vulnerability rewards of the community are being planned and will be available in the future.

When Should I Report Vulnerabilities?

• You believe that you have discovered potential security vulnerabilities in OpenHarmony.
• You are not sure how the vulnerabilities may affect OpenHarmony.
• You have discovered vulnerabilities that OpenHarmony depends on in other projects. You can attach the link that has been reported to the upstream community.

When Shouldn't I Report Vulnerabilities?

• You want to help improve the security capability of OpenHarmony.
• You need security-related help.
• Your issues are irrelevant to security.

Security Vulnerability Response

• The OpenHarmony security issue response team will confirm and analyze reported security issues within three working days and start handling the issues.
• After confirming security issues, the security issue response team distributes and follows up the issues.
• In the process of classifying, identifying, fixing, and releasing security issues, we will send you the handling progress report through emails in a timely manner.

Public Disclosure Time

• The date of public disclosure is negotiated by the OpenHarmony security issue response team and the security issue submitter. For security issues, once there are mitigations or workarounds, we will disclose the vulnerabilities.
• Delayed disclosure is inevitable and reasonable when security issues are not fully understood and modified, solutions are not adequately tested, or coordination with publishers is not completed.
• We usually disclose the vulnerabilities on the Tuesday of the first full week of each month.
• The OpenHarmony security issue response team has the final decision on the date of disclosure.