Message ID | 20231017152517.26675-1-rybczynska@gmail.com |
---|---|
State | New |
Headers | show |
Series | Add SECURITY.md | expand |
On Tue, 2023-10-17 at 17:25 +0200, Marta Rybczynska wrote: > Add a SECURITY.md filr with hints for security researchers and other > parties who might report potential security vulnerabilities. > > Signed-off-by: Marta Rybczynska <marta.rybczynska@syslinbit.com> > --- > SECURITY.md | 17 +++++++++++++++++ > 1 file changed, 17 insertions(+) > create mode 100644 SECURITY.md > > diff --git a/SECURITY.md b/SECURITY.md > new file mode 100644 > index 0000000000..900da76e59 > --- /dev/null > +++ b/SECURITY.md > @@ -0,0 +1,17 @@ > +How to Report a Vulnerability? > +============================== > + > +Please send a message to security AT yoctoproject DOT org, including as many details > +as possible: the layer or software module affected, the recipe and its version, > +and any example code, if available. Rather than send everyone to the security address, can we suggest bugzilla as the first port of call for anything public knowledge and less urgent and to only to use the security address for non-public or urgent issues? We do have the ability to mark bugs as security and private and then triage unlocks them too. Cheers, Richard
On Tue, Oct 17, 2023 at 11:50 PM Richard Purdie <richard.purdie@linuxfoundation.org> wrote: > > On Tue, 2023-10-17 at 17:25 +0200, Marta Rybczynska wrote: > > Add a SECURITY.md filr with hints for security researchers and other > > parties who might report potential security vulnerabilities. > > > > Signed-off-by: Marta Rybczynska <marta.rybczynska@syslinbit.com> > > --- > > SECURITY.md | 17 +++++++++++++++++ > > 1 file changed, 17 insertions(+) > > create mode 100644 SECURITY.md > > > > diff --git a/SECURITY.md b/SECURITY.md > > new file mode 100644 > > index 0000000000..900da76e59 > > --- /dev/null > > +++ b/SECURITY.md > > @@ -0,0 +1,17 @@ > > +How to Report a Vulnerability? > > +============================== > > + > > +Please send a message to security AT yoctoproject DOT org, including as many details > > +as possible: the layer or software module affected, the recipe and its version, > > +and any example code, if available. > > Rather than send everyone to the security address, can we suggest > bugzilla as the first port of call for anything public knowledge and > less urgent and to only to use the security address for non-public or > urgent issues? > > We do have the ability to mark bugs as security and private and then > triage unlocks them too. > Absolutely. I will be sending a v2 to OE-core only. When we agree on this one, I will send it also to other layers. As they might come in different combinations, a SECURITY.md for each layer (like README) gives us best visibility. Regards, Marta
On Wed, 2023-10-18 at 07:03 +0200, Marta Rybczynska wrote: > On Tue, Oct 17, 2023 at 11:50 PM Richard Purdie > <richard.purdie@linuxfoundation.org> wrote: > > > > On Tue, 2023-10-17 at 17:25 +0200, Marta Rybczynska wrote: > > > Add a SECURITY.md filr with hints for security researchers and other > > > parties who might report potential security vulnerabilities. > > > > > > Signed-off-by: Marta Rybczynska <marta.rybczynska@syslinbit.com> > > > --- > > > SECURITY.md | 17 +++++++++++++++++ > > > 1 file changed, 17 insertions(+) > > > create mode 100644 SECURITY.md > > > > > > diff --git a/SECURITY.md b/SECURITY.md > > > new file mode 100644 > > > index 0000000000..900da76e59 > > > --- /dev/null > > > +++ b/SECURITY.md > > > @@ -0,0 +1,17 @@ > > > +How to Report a Vulnerability? > > > +============================== > > > + > > > +Please send a message to security AT yoctoproject DOT org, including as many details > > > +as possible: the layer or software module affected, the recipe and its version, > > > +and any example code, if available. > > > > Rather than send everyone to the security address, can we suggest > > bugzilla as the first port of call for anything public knowledge and > > less urgent and to only to use the security address for non-public or > > urgent issues? > > > > We do have the ability to mark bugs as security and private and then > > triage unlocks them too. > > > > Absolutely. I will be sending a v2 to OE-core only. When we agree on this one, > I will send it also to other layers. As they might come in different > combinations, > a SECURITY.md for each layer (like README) gives us best visibility. I'm happy with the OE-Core v2 so plan to merge that to the nanbield and master branches even if we've built rc1. I'm assuming Steve will add to the LTS branches too? Cheers, Richard
diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 0000000000..900da76e59 --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,17 @@ +How to Report a Vulnerability? +============================== + +Please send a message to security AT yoctoproject DOT org, including as many details +as possible: the layer or software module affected, the recipe and its version, +and any example code, if available. + +Branches maintained with security fixes +--------------------------------------- + +See [https://wiki.yoctoproject.org/wiki/Stable_Release_and_LTS Stable release and LTS] +for detailed info regarding the policies and maintenance of Stable branch. + +The [https://wiki.yoctoproject.org/wiki/Releases Release page] contains a list of all +releases of the Yocto Project. Versions in grey are no longer actively maintained with +security patches, but well-tested patches may still be accepted for them for +significant issues.
Add a SECURITY.md filr with hints for security researchers and other parties who might report potential security vulnerabilities. Signed-off-by: Marta Rybczynska <marta.rybczynska@syslinbit.com> --- SECURITY.md | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) create mode 100644 SECURITY.md