diff mbox series

[v2,2/3] security-team: Tidy and update section on security team operations

Message ID 20260603-sec-team-v2-2-ee7d2016fbf4@pbarker.dev
State New
Headers show
Series Security team documentation updates | expand

Commit Message

Paul Barker June 3, 2026, 7:45 p.m. UTC 
The section "What Yocto Security Team does when it receives a security
vulnerability" duplicated information already found in the previous
section "Security Team Operations", so merge the sections and tidy up
the flow of the text.

While we're editing this, Mitre is now just one of the places you can go
to get a CVE assigned, many other CVE Numbering Authorities (CNAs) are
available. They also now have a web form for contact and requesting CVE
assignment so let's link directly to that.

Also drop "If an upstream project does not respond quickly" down a
heading level.

Signed-off-by: Paul Barker <paul@pbarker.dev>
---
 documentation/security-reference/security-team.rst | 26 +++++++---------------
 1 file changed, 8 insertions(+), 18 deletions(-)
diff mbox series

Patch

diff --git a/documentation/security-reference/security-team.rst b/documentation/security-reference/security-team.rst
index 7ec1dda02e0c..c83ada17eb56 100644
--- a/documentation/security-reference/security-team.rst
+++ b/documentation/security-reference/security-team.rst
@@ -56,31 +56,21 @@  original reporter in the loop. There is also sometimes some coordination for
 handling patches, backporting patches etc, or just understanding the problem
 or what caused it.
 
-When the fix is publicly available, the YP security team member or the
-package maintainer sends patches against the YP code base, following usual
-procedures, including public code review.
-
-What Yocto Security Team does when it receives a security vulnerability
-=======================================================================
-
-The YP Security Team team performs a quick analysis and would usually report
-the flaw to the upstream project. Normally the upstream project analyzes the
-problem. If they deem it a real security problem in their software, they
-develop and release a fix following their own security policy. They may want
-to include the original reporter in the loop. There is also sometimes some
-coordination for handling patches, backporting patches etc, or just
-understanding the problem or what caused it.
-
 The security policy of the upstream project might include a notification to
 Linux distributions or other important downstream projects in advance to
 discuss coordinated disclosure. These mailing lists are normally non-public.
 
 When the upstream project releases a version with the fix, they are responsible
-for contacting `Mitre <https://www.cve.org/>`__ to get a CVE number assigned and
-the CVE record published.
+for contacting an appropriate CVE Numbering Authority (CNA), such as `Mitre
+<https://cveform.mitre.org/>`__, to get a CVE number assigned and the CVE
+record published.
+
+When the fix is publicly available, the YP security team member or the
+package maintainer sends patches against the YP code base, following usual
+procedures, including public code review.
 
 If an upstream project does not respond quickly
-===============================================
+-----------------------------------------------
 
 If an upstream project does not fix the problem in a reasonable time,
 the Yocto's Security Team will contact other interested parties (usually