diff mbox series

Add SECURITY.md

Message ID 20231017152517.26675-1-rybczynska@gmail.com
State New
Headers show
Series Add SECURITY.md | expand

Commit Message

Marta Rybczynska Oct. 17, 2023, 3:25 p.m. UTC
Add a SECURITY.md filr with hints for security researchers and other
parties who might report potential security vulnerabilities.

Signed-off-by: Marta Rybczynska <marta.rybczynska@syslinbit.com>
---
 SECURITY.md | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)
 create mode 100644 SECURITY.md

Comments

Richard Purdie Oct. 17, 2023, 9:50 p.m. UTC | #1
On Tue, 2023-10-17 at 17:25 +0200, Marta Rybczynska wrote:
> Add a SECURITY.md filr with hints for security researchers and other
> parties who might report potential security vulnerabilities.
> 
> Signed-off-by: Marta Rybczynska <marta.rybczynska@syslinbit.com>
> ---
>  SECURITY.md | 17 +++++++++++++++++
>  1 file changed, 17 insertions(+)
>  create mode 100644 SECURITY.md
> 
> diff --git a/SECURITY.md b/SECURITY.md
> new file mode 100644
> index 0000000000..900da76e59
> --- /dev/null
> +++ b/SECURITY.md
> @@ -0,0 +1,17 @@
> +How to Report a Vulnerability?
> +==============================
> +
> +Please send a message to security AT yoctoproject DOT org, including as many details
> +as possible: the layer or software module affected, the recipe and its version,
> +and any example code, if available.

Rather than send everyone to the security address, can we suggest
bugzilla as the first port of call for anything public knowledge and
less urgent and to only to use the security address for non-public or
urgent issues?

We do have the ability to mark bugs as security and private and then
triage unlocks them too.

Cheers,

Richard
Marta Rybczynska Oct. 18, 2023, 5:03 a.m. UTC | #2
On Tue, Oct 17, 2023 at 11:50 PM Richard Purdie
<richard.purdie@linuxfoundation.org> wrote:
>
> On Tue, 2023-10-17 at 17:25 +0200, Marta Rybczynska wrote:
> > Add a SECURITY.md filr with hints for security researchers and other
> > parties who might report potential security vulnerabilities.
> >
> > Signed-off-by: Marta Rybczynska <marta.rybczynska@syslinbit.com>
> > ---
> >  SECURITY.md | 17 +++++++++++++++++
> >  1 file changed, 17 insertions(+)
> >  create mode 100644 SECURITY.md
> >
> > diff --git a/SECURITY.md b/SECURITY.md
> > new file mode 100644
> > index 0000000000..900da76e59
> > --- /dev/null
> > +++ b/SECURITY.md
> > @@ -0,0 +1,17 @@
> > +How to Report a Vulnerability?
> > +==============================
> > +
> > +Please send a message to security AT yoctoproject DOT org, including as many details
> > +as possible: the layer or software module affected, the recipe and its version,
> > +and any example code, if available.
>
> Rather than send everyone to the security address, can we suggest
> bugzilla as the first port of call for anything public knowledge and
> less urgent and to only to use the security address for non-public or
> urgent issues?
>
> We do have the ability to mark bugs as security and private and then
> triage unlocks them too.
>

Absolutely. I will be sending a v2 to OE-core only. When we agree on this one,
I will send it also to other layers. As they might come in different
combinations,
a SECURITY.md for each layer (like README) gives us best visibility.

Regards,
Marta
Richard Purdie Oct. 19, 2023, 10:30 a.m. UTC | #3
On Wed, 2023-10-18 at 07:03 +0200, Marta Rybczynska wrote:
> On Tue, Oct 17, 2023 at 11:50 PM Richard Purdie
> <richard.purdie@linuxfoundation.org> wrote:
> > 
> > On Tue, 2023-10-17 at 17:25 +0200, Marta Rybczynska wrote:
> > > Add a SECURITY.md filr with hints for security researchers and other
> > > parties who might report potential security vulnerabilities.
> > > 
> > > Signed-off-by: Marta Rybczynska <marta.rybczynska@syslinbit.com>
> > > ---
> > >  SECURITY.md | 17 +++++++++++++++++
> > >  1 file changed, 17 insertions(+)
> > >  create mode 100644 SECURITY.md
> > > 
> > > diff --git a/SECURITY.md b/SECURITY.md
> > > new file mode 100644
> > > index 0000000000..900da76e59
> > > --- /dev/null
> > > +++ b/SECURITY.md
> > > @@ -0,0 +1,17 @@
> > > +How to Report a Vulnerability?
> > > +==============================
> > > +
> > > +Please send a message to security AT yoctoproject DOT org, including as many details
> > > +as possible: the layer or software module affected, the recipe and its version,
> > > +and any example code, if available.
> > 
> > Rather than send everyone to the security address, can we suggest
> > bugzilla as the first port of call for anything public knowledge and
> > less urgent and to only to use the security address for non-public or
> > urgent issues?
> > 
> > We do have the ability to mark bugs as security and private and then
> > triage unlocks them too.
> > 
> 
> Absolutely. I will be sending a v2 to OE-core only. When we agree on this one,
> I will send it also to other layers. As they might come in different
> combinations,
> a SECURITY.md for each layer (like README) gives us best visibility.

I'm happy with the OE-Core v2 so plan to merge that to the nanbield and
master branches even if we've built rc1. I'm assuming Steve will add to
the LTS branches too?

Cheers,

Richard
diff mbox series

Patch

diff --git a/SECURITY.md b/SECURITY.md
new file mode 100644
index 0000000000..900da76e59
--- /dev/null
+++ b/SECURITY.md
@@ -0,0 +1,17 @@ 
+How to Report a Vulnerability?
+==============================
+
+Please send a message to security AT yoctoproject DOT org, including as many details
+as possible: the layer or software module affected, the recipe and its version,
+and any example code, if available.
+
+Branches maintained with security fixes
+---------------------------------------
+
+See [https://wiki.yoctoproject.org/wiki/Stable_Release_and_LTS Stable release and LTS]
+for detailed info regarding the policies and maintenance of Stable branch.
+
+The [https://wiki.yoctoproject.org/wiki/Releases Release page] contains a list of all
+releases of the Yocto Project. Versions in grey are no longer actively maintained with
+security patches, but well-tested patches may still be accepted for them for
+significant issues.