The section "What Yocto Security Team does when it receives a security
vulnerability" duplicated information already found in the previous
section "Security Team Operations", so merge the sections and tidy up
the flow of the text.
While we're editing this, Mitre is now just one of the places you can go
to get a CVE assigned, many other CVE Numbering Authorities (CNAs) are
available. They also now have a web form for contact and requesting CVE
assignment so let's link directly to that.
Also drop "If an upstream project does not respond quickly" down a
heading level.
(From yocto-docs rev: ca6a21c7cf652fabd0d48fda735a9074f9fe8af7)
Signed-off-by: Paul Barker <paul@pbarker.dev>
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
(cherry picked from commit 8efdc7df5c75e92449e74e4d40b763ee1df07adc)
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
Signed-off-by: Paul Barker <paul@pbarker.dev>
The current security-related documentation is a bit hard to find and
hidden within the development manual. However these are processes that
are not part of a development task but is rather a vulnerability
reporting process.
Create a new "Security" section in the documentation to gather this
information. This will be directly visible in the sidebar when opening
the documentation.
Split the previous security-subjects.rst document into 2 documents:
- security-team.rst: defines the roles of the security teams and its
members.
- reporting-vulnerabilities.rst: guide to report vulnerabilities to the
security team.
The plan is to backport these documents to active releases. As a
consequence, this section should be free of instructions and information
that only make sense for a specific release. It should _not_ contain
documents on how to enable security features with Yocto on target
devices, this is unrelated and can be left in the development manual
(for example: dev-manual/vulnerabilities.rst to deal with CVEs).
(From yocto-docs rev: 80556704f8b60b5bf903da497909cfda7dd1b28b)
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
(cherry picked from commit 81e14ca2d5cff9e2104c556655144b069633790c)
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
