We have a top-level SECURITY.md, because it's handled specially by the Github Web UI. Additionally, we have a security chapter in the documentation, so add references between the two for easier discoverability.
Signed-off-by: Ahmad Fatoum <a.fat...@pengutronix.de> --- Documentation/user/security.rst | 7 +++++++ SECURITY.md | 5 +++++ 2 files changed, 12 insertions(+) diff --git a/Documentation/user/security.rst b/Documentation/user/security.rst index 5beedfc9a5bf..cc15c8b512b2 100644 --- a/Documentation/user/security.rst +++ b/Documentation/user/security.rst @@ -170,3 +170,10 @@ a compiled-in RSA public key. Board code should read the JSON Web Token (e.g., from a raw partition on a USB mass storage device), verify the serial number claim within against the board's actual serial number and only then unlock any debugging functionality. + +Security Policy +--------------- + +For general information on supported versions and how to report security +vulnerabilities, refer to the top-level +`SECURITY.md <https://github.com/barebox/barebox/security/policy>`_ document. diff --git a/SECURITY.md b/SECURITY.md index 476ab3186e04..9dd19d73d0aa 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -12,3 +12,8 @@ Compatibility with old kernels is maintained over barebox releases. Please report security vulnerabilities to secur...@barebox.org. We will work with the reporter to create a fix and to coordinate the disclosure. + +## Securing barebox + +Refer to the [Security Considerations](https://www.barebox.org/doc/latest/user/security.html) +chapter of the documentation for information on how to configure barebox securely. -- 2.39.5
