Arm takes security issues seriously and welcomes feedback from researchers and the security community in order to improve the security of its products and services. We operate a coordinated disclosure policy for disclosing vulnerabilities and other security issues.
Security issues can be complex and one single timescale doesn't fit all circumstances. We will make best endeavours to inform you when we expect security notifications and fixes to be available and facilitate coordinated disclosure when notifications and patches/mitigations are available.
If you would like to report a public issue (for example, one with a released CVE number), please contact the meta-arm mailing list at meta-arm@lists.yoctoproject.org and arm-security@arm.com.
If you are dealing with a not-yet released or urgent issue, please send a mail to the maintainers (see README.md) and arm-security@arm.com, including as much detail as possible. Encrypted emails using PGP are welcome.
For more information, please visit https://developer.arm.com/support/arm-security-updates/report-security-vulnerabilities.
meta-arm follows the Yocto release model, so see Stable release and LTS for detailed info regarding the policies and maintenance of stable branches.
The Release page contains a list of all releases of the Yocto Project. Versions in grey are no longer actively maintained with security patches, but well-tested patches may still be accepted for them for significant issues.
Arm reference solutions are Arm public example software projects that track and pull upstream components, incorporating their respective security fixes published over time. Arm partners are responsible for ensuring that the components they use contain all the required security fixes, if and when they deploy a product derived from Arm reference solutions.