Skip to content

Security: oro-os/kernel

SECURITY.md

Security Disclosure Policy

Last Review Date 10 Feb 2024

The Oro Operating System project takes security extremely seriously.

If you have found a vulnerability within the Oro kernel or any of the associated crates included in this repository, please do not open an issue and instead consult the following instructions on how to responsibly disclose your findings.

Reporting a Vulnerability

To report a vulnerability, please send an email to security at oro dot sh. Please include as much information as possible, including:

  • A detailed description of the vulnerability
  • Steps to reproduce the vulnerability, or a suitable demonstration.
  • Any relevant logs, error messages, or other artifacts.
  • Your name and contact information (if you wish to be credited).
  • The Git commit SHA of the affected code (if known).
  • Whether or not you have evidence the vulnerability has been exploited in the wild.
  • Whether or not you have a fix for the vulnerability.
  • Any other relevant information.

What to Expect

You should expect to receive a response within 24 hours. If you do not receive a response within 24 hours, please follow up with another email. Please note that the Oro Operating System project is maintained by volunteers, and as such response times may vary.

Further, the 24-hour window is not a guarantee of acknowledgement of the vulnerability. You may receive a response asking for more information, or for clarification. We may take some time to evaluate, investigate and verify the vulnerability

Please understand that not every reported vulnerability will be deemed as such. We will do our best to consider every report, but some reports may be rejected for various reasons.

Due to this, we ask that you do not disclose the vulnerability to the public until we have had a chance to respond and address the issue. This includes filing a public issue on GitHub, discussing the vulnerability in public forums, or filing a public security advisory (commonly referred to as a "CVE"). We will work with you to ensure that the vulnerability is disclosed responsibly and are properly credited for your work.

Will I receive a bounty or reward?

Unfortunately, the Oro Operating System project does not currently offer a bounty or reward program for security vulnerabilities. We are a small, volunteer-driven project and do not have the resources to offer monetary rewards for security vulnerabilities.

What if I have a question?

If you have any questions about this policy, or about the Oro Operating System project's security practices, please feel free to reach out to the above email address. We're happy to answer any questions you may have - the address is not just for reporting vulnerabilities!

What does the Oro Operating System project consider a "vulnerability"?

This isn't an easily answerable question, as it depends on the context of the vulnerability. If you are unsure, please file a report anyway and we will work with you to determine if the issue is considered a vulnerability.

What does the disclosure timeline look like?

The Oro Operating System project does not have a strict disclosure timeline. Given that the project is young and volunteer-driven, it's hard to determine the best response time for disclosure and remediation. We will work with you to determine the best course of action on a case-by-case basis.

There aren’t any published security advisories