The security team of each Trusted Firmware project maintains a private, vetted list of organizations and individuals who are considered Trusted Stakeholders of security vulnerabilities for that project. Trusted Stakeholders are organizations impacted by security vulnerabilities found in a Trusted Firmware project and thus need to be informed before public disclosure.
If you want to register as a Trusted Stakeholder, please contact the relevant security team alias(es) as listed here , providing the following information:
- Which Trusted Firmware project(s) you want to register for.
- A justification of why you should be on the list. That is, why you should know about security vulnerabilities and have access to security fixes before they are made public. For example, a valid reason is that your organization has deployed products using Trusted Firmware that may need to be patched.
- Your full name and a valid email address. This should be an organization email address where possible. We prefer individuals in each organization to coordinate their registration requests with each other and to provide us with an email alias managed by your organization instead of us managing a long list of individual addresses.
- Confirmation that you and the individuals in your organization will handle embargoed information responsibly as described in the process page.
Where applicable, the project security teams also maintain a Especially Sensitive Stakeholder (ESS) list. This list is strictly limited to those organizations that use Trusted Firmware for large scale deployments providing bare-metal access on multi-tenancy systems, and organizations that supply Trusted Firmware to such deployments. You may use the same email address above to register for this list but in almost all cases we expect the Trusted Stakeholder list to be used instead.
Note, we reserve the right to deny registration or revoke membership to the stakeholders lists, for example if we have concerns about the confidentiality of embargoed information.