DMTF Security Issue Reporting Process
The following is a summary of the Security Response Process within the DMTF. If you have any information regarding security issues or vulnerabilities in DMTF standards (https://www.dmtf.org/standards) or DMTF open source implementations (https://github.com/DMTF), please report it to us immediately. DMTF's Security Response Task Force (SRTF) is chartered to coordinate the management and response for all reported security vulnerabilities in DMTF published artifacts.
Reporting a Security Issue
Please report the security issue or vulnerability via the DMTF Feedback Portal.
In order to help identify the issue in a timely manner, please include the following required information in document form (txt, rtf, docx preferred) as an attachment to the submission:
- Finder's email
- Vulnerability description with technical details, including how to reproduce the exploitation and the consequence of the exploitation.
- Impacted standard and its version
- Impacted reference code and its branch version
- Impacted production and production version
Once DMTF receives the report, SRTF administrator will acknowledge your email and may contact you for further information via secured email. All correspondence will take place with PGP email encryption.
Handling Security Issues
Once the security issue has submitted via the Feedback Portal and SRTF administration has confirmed its receipt, the vulnerability handling activities will proceed in the following phases:
- Triage - determine the scope, severity, impact etc.
- Mitigation - create the fix.
- Embargo - let production apply the fix before publishing.
- Disclosure - publish the mitigation.
DMTF SRTF will coordinate with security experts and domain area experts to review the issue, then provide and publish mitigation as soon as possible.
The timeline depends on many factors, including but not limited to: issue complexity, impact scope, involved components and production stage.
Usually, the embargo time for a software vulnerability is short, while the embargo time for a firmware or hardware vulnerability is longer because of the differences in the component update process.
Before the mitigation is disclosed publicly, the mitigation will be posted to the DMTF Security Announcement GitHub repository. If your corporation is using the DMTF standard or DMTF reference code in the production, you may register to get the mitigation information and adopt it before the disclosure. A corporate email address is required to join the Security Announcement repository.
Publication of Security Advisory
After embargo phase, DMTF will disclose mitigation through public security advisory, including below information:
- Publication data
- Vulnerability record - [CVE](https://cve.mitre.org/)
- Severity scoring - [CVSS](https://www.first.org/cvss/)
- Detail of the vulnerability
- Mitigation - specification update and/or reference code patch
The advisory for DMTF standards will be included on the public pages of the authoring body.
The advisory for DMTF reference code will be included in each reference code github repository.