openEuler Security Disclosure

Advisories

Visit Security Advisories for openEuler security advisories.

Vulnerabilities

We thank all security researchers and users who reported security vulnerabilities to the openEuler community. The security committee will schedule volunteers to conduct a full investigation into the reported security vulnerabilities.

You can e-mail details of security issues you find, along with error reports, to the private mailing list openeuler-security@openeuler.org. Please use the Security Issue Report Template.

You can encrypt your e-mail messages using a PGP public key requested from a member of the openEuler Security Committee.

When Should I Report a Vulnerability?

• When you think you have discovered any potential security vulnerability in openEuler.
• When you are not sure how a vulnerability may affect openEuler.
• When you have found any vulnerability in openEuler dependencies in other projects, you can attach the link of the vulnerability that has been reported to the upstream community.

When Should I Not Report Vulnerabilities?

• When you intend to help improve the security capability of openEuler.
• When you need security-related help.
• When your issue has nothing to do with security.

Security Vulnerability Response

• Members of the openEuler Security Committee will confirm and analyze the reported security issues within three working days and start the security handling process.

• After confirming security issues, the openEuler Security Committee will assign and follow up the issues.

• You will be updated on the issues you reported in a timely manner through emails throughout the process from security issue classification, confirmation, fixing, to disclosure.

Vulnerability Disclosure

• The date of disclosure is determined by the openEuler Security Committee and the error reporters. For security issues, once mitigations or workarounds are available, the vulnerabilities will be disclosed as soon as possible.
• Delayed disclosure is inevitable and reasonable when errors are not fully understood and corrected, the solution is not fully tested, or coordination with the distributors is not completed.
• Before public disclosure, some issues will be disclosed to distributors and the release time will be coordinated among distributors without affecting their interests.
• The disclosure takes about several weeks from the time when the security issue is confirmed. Vulnerabilities with clear mitigations or workarounds will be disclosed within two weeks if possible.
• The openEuler Security Committee has the final decision on the date of disclosure.