Info

ONAP Vulnerability Management and the onap-security mail alias are only to report issues against the ONAP software itself. It is NOT to be used for any issues related to tools and infrastructure (DNS, email, web, etc.)

If you would like to report a vulnerability against general project infrastructure (such as DNS, web or email services), please go to http://support.linuxfoundation.org/ → Project Services → Infrastructure Operations and file a bug.
The ONAP Project does not pay bug bounties.

Glossary

Term	Definition
Embargo	A time period where key ONAP stakeholders have access to details concerning the security vulnerability, with an understanding not to publish these details or the fixes they have prepared. The embargo ends with a coordinated release date (CRD). (adapted from source)
Subject Matter Expert (SME)	A developer or other specialist who can provide contextual information that helps to determine the validity and impact of a potential security vulnerability.
Security SME	A security SME is a specialist who is familiar with the ONAP security vulnerability procedures and security in general.
Peer reviewed	In the context of a patch, the term peer reviewed refers to the patch having been reviewed by the ONAP vulnerability sub-committee and any other relevant key stakeholders. There is not yet a strict definition of the number of people who need to have reviewed the patch, or how they provide sign off.

...

Image Added

...

A report can be received either as a ticket in Vulnerability Reporting Jira Project, email to onap-security@lists.onap.org or as a private encrypted email to one of the VMS members .

Steps that has to be completed depend on reception method:

...