Security Center Frequently Asked Questions

Q: How do I report a security issue in your infrastructure?

The Trusted Firmware instrastructure is hosted by Linaro so please follow the Linaro security policy (also referred to by Linaro’s security.txt). Please read the FAQ there before reporting new issues.

Q: I found a security issue in product X, will you fix it?

If the product uses source code from TrustedFirmware’s open source projects as is, then yes. Regardless, we always recommend to invoke the PSIRT team at the company behind the product as well.

Q: Do you have a bug bounty program?

TrustedFirmware does not currently operate a bug bounty program. All projects within TrustedFirmware are Open Source and sustain their operations through contributions from diverse entities, including companies, organizations, individuals, researchers, freelancers and hobbyists. Some contribute financially, while others provide engineering resources, hardware and infrastructure. Due to all work being done in the open, we believe security incident work should be treated the same, but of course with the difference that reporting is following the process as described in the Security Incident Handling Process.

Q: I found a security issue, but will only let you know if you pay me.

Unfortunately, we are unable to handle requests like this. TrustedFirmware runs open source projects as described in the previous question in this FAQ.