mirrors/poky
1
0
Fork 0
mirror of https://git.yoctoproject.org/poky synced 2026-01-29 21:08:42 +01:00
Code Issues Packages Projects Releases Wiki Activity
Files
cb99d0b1c52349125cbbc58cdd8555f120fc4ae9
poky/documentation/security-reference/reporting-vulnerabilities.rst
Antonin Godard cb99d0b1c5 Add a new "Security" section 
The current security-related documentation is a bit hard to find and
hidden within the development manual. However these are processes that
are not part of a development task but is rather a vulnerability
reporting process.

Create a new "Security" section in the documentation to gather this
information. This will be directly visible in the sidebar when opening
the documentation.

Split the previous security-subjects.rst document into 2 documents:

- security-team.rst: defines the roles of the security teams and its
  members.

- reporting-vulnerabilities.rst: guide to report vulnerabilities to the
  security team.

The plan is to backport these documents to active releases. As a
consequence, this section should be free of instructions and information
that only make sense for a specific release. It should _not_ contain
documents on how to enable security features with Yocto on target
devices, this is unrelated and can be left in the development manual
(for example: dev-manual/vulnerabilities.rst to deal with CVEs).

(From yocto-docs rev: 3fd0f37d708d88534dd6dbb51dc264911c349352)

Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
(cherry picked from commit 81e14ca2d5cff9e2104c556655144b069633790c)
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2026-01-26 18:54:18 +00:00

86 lines
4.0 KiB
ReStructuredText
Raw Blame History

.. SPDX-License-Identifier: CC-BY-SA-2.0-UK
Reporting Vulnerabilities
*************************
The Yocto Project and OpenEmbedded are open-source, community-based projects
used in numerous products. They assemble multiple other open-source projects,
and need to handle security issues and practices both internal (in the code
maintained by both projects), and external (maintained by other projects and
organizations).
This manual assembles security-related information concerning the whole
ecosystem. It includes information on reporting a potential security issue,
the operation of the YP Security team and how to contribute in the
related code. It is written to be useful for both security researchers and
YP developers.
How to report a potential security vulnerability?
=================================================
If you would like to report a public issue (for example, one with a released
CVE number), please report it using the
:yocto_bugs:`Security Bugzilla </enter_bug.cgi?product=Security>`.
If you are dealing with a not-yet-released issue, or an urgent one, please send
a message to security AT yoctoproject DOT org, including as many details as
possible: the layer or software module affected, the recipe and its version,
and any example code, if available. This mailing list is monitored by the
Yocto Project Security team.
For each layer, you might also look for specific instructions (if any) for
reporting potential security issues in the specific ``SECURITY.md`` file at the
root of the repository. Instructions on how and where submit a patch are
usually available in ``README.md``. If this is your first patch to the
Yocto Project/OpenEmbedded, you might want to have a look into the
Contributor's Manual section
":ref:`contributor-guide/submit-changes:preparing changes for submission`".
Branches maintained with security fixes
---------------------------------------
See the
:ref:`Release process <ref-manual/release-process:Stable Release Process>`
documentation for details regarding the policies and maintenance of stable
branches.
The :yocto_home:`Releases </development/releases/>` page contains a list of all
releases of the Yocto Project, grouped into current and previous releases.
Previous releases are no longer actively maintained with security patches, but
well-tested patches may still be accepted for them for significant issues.
Security-related discussions at the Yocto Project
-------------------------------------------------
We have set up two security-related emails/mailing lists:
- Public Mailing List: yocto [dash] security [at] yoctoproject[dot] org
This is a public mailing list for anyone to subscribe to. This list is an
open list to discuss public security issues/patches and security-related
initiatives. For more information, including subscription information,
please see the :yocto_lists:`yocto-security mailing list info page
</g/yocto-security>`.
This list requires moderator approval for new topics to be posted, to avoid
private security reports to be posted by mistake.
- Yocto Project Security Team: security [at] yoctoproject [dot] org
This is an email for reporting non-published potential vulnerabilities.
Emails sent to this address are forwarded to the Yocto Project Security
Team members.
What you should do if you find a security vulnerability
-------------------------------------------------------
If you find a security flaw: a crash, an information leakage, or anything that
can have a security impact if exploited in any Open Source software built or
used by the Yocto Project, please report this to the Yocto Project Security
Team. If you prefer to contact the upstream project directly, please send a
copy to the security team at the Yocto Project as well. If you believe this is
highly sensitive information, please report the vulnerability in a secure way,
i.e. encrypt the email and send it to the private list. This ensures that
the exploit is not leaked and exploited before a response/fix has been generated.
Reference in New Issue View Git Blame Copy Permalink