On Tue, 2023-10-17 at 17:25 +0200, Marta Rybczynska wrote: > Add a SECURITY.md filr with hints for security researchers and other > parties who might report potential security vulnerabilities. > > Signed-off-by: Marta Rybczynska <[email protected]> > --- > SECURITY.md | 17 +++++++++++++++++ > 1 file changed, 17 insertions(+) > create mode 100644 SECURITY.md > > diff --git a/SECURITY.md b/SECURITY.md > new file mode 100644 > index 0000000000..900da76e59 > --- /dev/null > +++ b/SECURITY.md > @@ -0,0 +1,17 @@ > +How to Report a Vulnerability? > +============================== > + > +Please send a message to security AT yoctoproject DOT org, including as many > details > +as possible: the layer or software module affected, the recipe and its > version, > +and any example code, if available.
Rather than send everyone to the security address, can we suggest bugzilla as the first port of call for anything public knowledge and less urgent and to only to use the security address for non-public or urgent issues? We do have the ability to mark bugs as security and private and then triage unlocks them too. Cheers, Richard
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#189362): https://lists.openembedded.org/g/openembedded-core/message/189362 Mute This Topic: https://lists.openembedded.org/mt/102019988/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
