Skip to content

Commit e1e47cb

Browse files
MarkAtwoodsameehj
authored andcommitted
docs(sbom): align with project's formal security policy
doc/SBOM.md and doc/CRA.md previously had no references to wolfSSL's vulnerability disclosure process. CRA Article 10 obliges manufacturers to handle and disclose vulnerabilities, so a CRA-compliance doc that does not point integrators at the disclosure path leaves the auditor with an incomplete handoff. PR #10284 (already on master) published the project's formal security policy at SECURITY-POLICY.md and a mandatory reporting template at SECURITY-REPORT-TEMPLATE.md. The policy explicitly accommodates ecosystem-coordination embargoes for 'downstream integrators, certification bodies, or equivalent' -- the exact audience these CRA-compliance docs are written for. doc/CRA.md: extends 'What to Give Your Auditor' with a paragraph on the disclosure process, advisory feed, and the embargo accommodation; lists SECURITY-POLICY.md and SECURITY-REPORT-TEMPLATE.md under 'Further Reading'. doc/SBOM.md: adds a closing paragraph to '5. Using wolfSSL's artefacts in a product' pointing readers at SECURITY-POLICY.md when a vulnerability is found in wolfSSL or any SBOM-listed dependency. This is congruent with the project's formal security policy landed by #10284.
1 parent 2576c04 commit e1e47cb

2 files changed

Lines changed: 24 additions & 0 deletions

File tree

doc/CRA.md

Lines changed: 16 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -268,12 +268,28 @@ If you have a product-level SBOM that references wolfSSL via
268268
`ExternalDocumentRef` (SPDX) or a `bom` external reference (CycloneDX),
269269
include that product SBOM alongside the wolfSSL artefacts.
270270

271+
CRA Article 10 also obliges manufacturers to handle and disclose
272+
vulnerabilities. wolfSSL's vulnerability disclosure process is documented
273+
in [`SECURITY-POLICY.md`](../SECURITY-POLICY.md) at the repository root,
274+
with a mandatory reporting template at
275+
[`SECURITY-REPORT-TEMPLATE.md`](../SECURITY-REPORT-TEMPLATE.md). Reports
276+
go to **support@wolfssl.com**; published advisories live at
277+
<https://www.wolfssl.com/docs/security-vulnerabilities/>. The policy
278+
explicitly accommodates ecosystem-coordination embargoes for downstream
279+
integrators and certification bodies — point your auditor at this so
280+
they can verify the disclosure path before signing off.
281+
271282
## Further Reading
272283

273284
### wolfSSL documentation
274285

275286
- `doc/SBOM.md` — unified reference covering SBOM generation, OmniBOR/Bomsh
276287
build provenance, combined workflow, output formats, and implementation notes
288+
- [`SECURITY-POLICY.md`](../SECURITY-POLICY.md) — vulnerability disclosure
289+
policy, severity rubric, coordinated-disclosure practice, embargo
290+
extensions for downstream integrators and certification bodies
291+
- [`SECURITY-REPORT-TEMPLATE.md`](../SECURITY-REPORT-TEMPLATE.md)
292+
mandatory template for vulnerability reports submitted to wolfSSL
277293

278294
### OpenSSF guidance
279295

doc/SBOM.md

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -650,3 +650,11 @@ file.
650650
If you are shipping a product that includes wolfSSL and need to satisfy CRA
651651
obligations, see `doc/CRA.md` for guidance on integrating these artefacts
652652
into your product SBOM and what to provide to a conformity assessor.
653+
654+
If a vulnerability is found in wolfSSL itself or in any dependency listed
655+
in the SBOM, see [`SECURITY-POLICY.md`](../SECURITY-POLICY.md) at the
656+
repository root for wolfSSL's disclosure process, severity rubric, and
657+
coordinated-disclosure practice. Reports use
658+
[`SECURITY-REPORT-TEMPLATE.md`](../SECURITY-REPORT-TEMPLATE.md) and go to
659+
**support@wolfssl.com**; published advisories are at
660+
<https://www.wolfssl.com/docs/security-vulnerabilities/>.

0 commit comments

Comments
 (0)