On Tue, Oct 17, 2023 at 11:50 PM Richard Purdie <[email protected]> wrote: > > On Tue, 2023-10-17 at 17:25 +0200, Marta Rybczynska wrote: > > Add a SECURITY.md filr with hints for security researchers and other > > parties who might report potential security vulnerabilities. > > > > Signed-off-by: Marta Rybczynska <[email protected]> > > --- > > SECURITY.md | 17 +++++++++++++++++ > > 1 file changed, 17 insertions(+) > > create mode 100644 SECURITY.md > > > > diff --git a/SECURITY.md b/SECURITY.md > > new file mode 100644 > > index 0000000000..900da76e59 > > --- /dev/null > > +++ b/SECURITY.md > > @@ -0,0 +1,17 @@ > > +How to Report a Vulnerability? > > +============================== > > + > > +Please send a message to security AT yoctoproject DOT org, including as > > many details > > +as possible: the layer or software module affected, the recipe and its > > version, > > +and any example code, if available. > > Rather than send everyone to the security address, can we suggest > bugzilla as the first port of call for anything public knowledge and > less urgent and to only to use the security address for non-public or > urgent issues? > > We do have the ability to mark bugs as security and private and then > triage unlocks them too. >
Absolutely. I will be sending a v2 to OE-core only. When we agree on this one, I will send it also to other layers. As they might come in different combinations, a SECURITY.md for each layer (like README) gives us best visibility. Regards, Marta
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#189366): https://lists.openembedded.org/g/openembedded-core/message/189366 Mute This Topic: https://lists.openembedded.org/mt/102019988/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
