On Wed, 2023-10-18 at 07:03 +0200, Marta Rybczynska wrote: > On Tue, Oct 17, 2023 at 11:50 PM Richard Purdie > <[email protected]> wrote: > > > > On Tue, 2023-10-17 at 17:25 +0200, Marta Rybczynska wrote: > > > Add a SECURITY.md filr with hints for security researchers and other > > > parties who might report potential security vulnerabilities. > > > > > > Signed-off-by: Marta Rybczynska <[email protected]> > > > --- > > > SECURITY.md | 17 +++++++++++++++++ > > > 1 file changed, 17 insertions(+) > > > create mode 100644 SECURITY.md > > > > > > diff --git a/SECURITY.md b/SECURITY.md > > > new file mode 100644 > > > index 0000000000..900da76e59 > > > --- /dev/null > > > +++ b/SECURITY.md > > > @@ -0,0 +1,17 @@ > > > +How to Report a Vulnerability? > > > +============================== > > > + > > > +Please send a message to security AT yoctoproject DOT org, including as > > > many details > > > +as possible: the layer or software module affected, the recipe and its > > > version, > > > +and any example code, if available. > > > > Rather than send everyone to the security address, can we suggest > > bugzilla as the first port of call for anything public knowledge and > > less urgent and to only to use the security address for non-public or > > urgent issues? > > > > We do have the ability to mark bugs as security and private and then > > triage unlocks them too. > > > > Absolutely. I will be sending a v2 to OE-core only. When we agree on this one, > I will send it also to other layers. As they might come in different > combinations, > a SECURITY.md for each layer (like README) gives us best visibility.
I'm happy with the OE-Core v2 so plan to merge that to the nanbield and master branches even if we've built rc1. I'm assuming Steve will add to the LTS branches too? Cheers, Richard
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#189443): https://lists.openembedded.org/g/openembedded-core/message/189443 Mute This Topic: https://lists.openembedded.org/mt/102019988/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
