[PATCH] Add SECURITY.md

[PATCH] Add SECURITY.md

[Marta Rybczynska]

Add a SECURITY.md filr with hints for security researchers and other
parties who might report potential security vulnerabilities.

Signed-off-by: Marta Rybczynska <marta.rybczynska@syslinbit.com>
---
 SECURITY.md | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)
 create mode 100644 SECURITY.md

diff --git a/SECURITY.md b/SECURITY.md
new file mode 100644
index 0000000000..900da76e59
--- /dev/null
+++ b/SECURITY.md
@@ -0,0 +1,17 @@
+How to Report a Vulnerability?
+==============================
+
+Please send a message to security AT yoctoproject DOT org, including as many details
+as possible: the layer or software module affected, the recipe and its version,
+and any example code, if available.
+
+Branches maintained with security fixes
+---------------------------------------
+
+See [https://wiki.yoctoproject.org/wiki/Stable_Release_and_LTS Stable release and LTS]
+for detailed info regarding the policies and maintenance of Stable branch.
+
+The [https://wiki.yoctoproject.org/wiki/Releases Release page] contains a list of all
+releases of the Yocto Project. Versions in grey are no longer actively maintained with
+security patches, but well-tested patches may still be accepted for them for
+significant issues.
-- 
2.39.2

Re: [OE-core] [PATCH] Add SECURITY.md

[Richard Purdie]

On Tue, 2023-10-17 at 17:25 +0200, Marta Rybczynska wrote:
> Add a SECURITY.md filr with hints for security researchers and other
> parties who might report potential security vulnerabilities.
> 
> Signed-off-by: Marta Rybczynska <marta.rybczynska@syslinbit.com>
> ---
>  SECURITY.md | 17 +++++++++++++++++
>  1 file changed, 17 insertions(+)
>  create mode 100644 SECURITY.md
> 
> diff --git a/SECURITY.md b/SECURITY.md
> new file mode 100644
> index 0000000000..900da76e59
> --- /dev/null
> +++ b/SECURITY.md
> @@ -0,0 +1,17 @@
> +How to Report a Vulnerability?
> +==============================
> +
> +Please send a message to security AT yoctoproject DOT org, including as many details
> +as possible: the layer or software module affected, the recipe and its version,
> +and any example code, if available.

Rather than send everyone to the security address, can we suggest
bugzilla as the first port of call for anything public knowledge and
less urgent and to only to use the security address for non-public or
urgent issues?

We do have the ability to mark bugs as security and private and then
triage unlocks them too.

Cheers,

Richard

Re: [OE-core] [PATCH] Add SECURITY.md

[Marta Rybczynska]

On Tue, Oct 17, 2023 at 11:50 PM Richard Purdie
<richard.purdie@linuxfoundation.org> wrote:
>
> On Tue, 2023-10-17 at 17:25 +0200, Marta Rybczynska wrote:
> > Add a SECURITY.md filr with hints for security researchers and other
> > parties who might report potential security vulnerabilities.
> >
> > Signed-off-by: Marta Rybczynska <marta.rybczynska@syslinbit.com>
> > ---
> >  SECURITY.md | 17 +++++++++++++++++
> >  1 file changed, 17 insertions(+)
> >  create mode 100644 SECURITY.md
> >
> > diff --git a/SECURITY.md b/SECURITY.md
> > new file mode 100644
> > index 0000000000..900da76e59
> > --- /dev/null
> > +++ b/SECURITY.md
> > @@ -0,0 +1,17 @@
> > +How to Report a Vulnerability?
> > +==============================
> > +
> > +Please send a message to security AT yoctoproject DOT org, including as many details
> > +as possible: the layer or software module affected, the recipe and its version,
> > +and any example code, if available.
>
> Rather than send everyone to the security address, can we suggest
> bugzilla as the first port of call for anything public knowledge and
> less urgent and to only to use the security address for non-public or
> urgent issues?
>
> We do have the ability to mark bugs as security and private and then
> triage unlocks them too.
>

Absolutely. I will be sending a v2 to OE-core only. When we agree on this one,
I will send it also to other layers. As they might come in different
combinations,
a SECURITY.md for each layer (like README) gives us best visibility.

Regards,
Marta

Re: [OE-core] [PATCH] Add SECURITY.md

[Richard Purdie]

On Wed, 2023-10-18 at 07:03 +0200, Marta Rybczynska wrote:
> On Tue, Oct 17, 2023 at 11:50 PM Richard Purdie
> <richard.purdie@linuxfoundation.org> wrote:
> > 
> > On Tue, 2023-10-17 at 17:25 +0200, Marta Rybczynska wrote:
> > > Add a SECURITY.md filr with hints for security researchers and other
> > > parties who might report potential security vulnerabilities.
> > > 
> > > Signed-off-by: Marta Rybczynska <marta.rybczynska@syslinbit.com>
> > > ---
> > >  SECURITY.md | 17 +++++++++++++++++
> > >  1 file changed, 17 insertions(+)
> > >  create mode 100644 SECURITY.md
> > > 
> > > diff --git a/SECURITY.md b/SECURITY.md
> > > new file mode 100644
> > > index 0000000000..900da76e59
> > > --- /dev/null
> > > +++ b/SECURITY.md
> > > @@ -0,0 +1,17 @@
> > > +How to Report a Vulnerability?
> > > +==============================
> > > +
> > > +Please send a message to security AT yoctoproject DOT org, including as many details
> > > +as possible: the layer or software module affected, the recipe and its version,
> > > +and any example code, if available.
> > 
> > Rather than send everyone to the security address, can we suggest
> > bugzilla as the first port of call for anything public knowledge and
> > less urgent and to only to use the security address for non-public or
> > urgent issues?
> > 
> > We do have the ability to mark bugs as security and private and then
> > triage unlocks them too.
> > 
> 
> Absolutely. I will be sending a v2 to OE-core only. When we agree on this one,
> I will send it also to other layers. As they might come in different
> combinations,
> a SECURITY.md for each layer (like README) gives us best visibility.

I'm happy with the OE-Core v2 so plan to merge that to the nanbield and
master branches even if we've built rc1. I'm assuming Steve will add to
the LTS branches too?

Cheers,

Richard

Re: [PATCH] Add SECURITY.md

[Jon Mason]

On Mon, 18 Mar 2024 13:37:30 +0000, ross.burton@arm.com wrote:
> 
> 

Applied, thanks!

[1/1] Add SECURITY.md
      commit: c93a1459dafa86a0bef346e95f688e7c32bc5eef

Best regards,
-- 
Jon Mason <jon.mason@arm.com>

[PATCH] Add SECURITY.md

[ross.burton]

From: Ross Burton <ross.burton@arm.com>

---
 SECURITY.md | 37 +++++++++++++++++++++++++++++++++++++
 1 file changed, 37 insertions(+)
 create mode 100644 SECURITY.md

diff --git a/SECURITY.md b/SECURITY.md
new file mode 100644
index 00000000..0fa6cbcd
--- /dev/null
+++ b/SECURITY.md
@@ -0,0 +1,37 @@
+# Reporting vulnerabilities
+
+Arm takes security issues seriously and welcomes feedback from researchers and
+the security community in order to improve the security of its products and
+services. We operate a coordinated disclosure policy for disclosing
+vulnerabilities and other security issues.
+
+Security issues can be complex and one single timescale doesn't fit all
+circumstances. We will make best endeavours to inform you when we expect
+security notifications and fixes to be available and facilitate coordinated
+disclosure when notifications and patches/mitigations are available.
+
+
+## How to Report a Potential Vulnerability?
+
+If you would like to report a public issue (for example, one with a released CVE
+number), please contact the meta-arm mailing list at
+meta-arm@lists.yoctoproject.org and arm-security@arm.com.
+
+If you are dealing with a not-yet released or urgent issue, please send a mail
+to the maintainers (see README.md) and arm-security@arm.com, including as much
+detail as possible.  Encrypted emails using PGP are welcome.
+
+For more information, please visit https://developer.arm.com/support/arm-security-updates/report-security-vulnerabilities.
+
+
+## Branches maintained with security fixes
+
+meta-arm follows the Yocto release model, so see
+[https://wiki.yoctoproject.org/wiki/Stable_Release_and_LTS Stable release and
+LTS] for detailed info regarding the policies and maintenance of stable
+branches.
+
+The [https://wiki.yoctoproject.org/wiki/Releases Release page] contains a list of all
+releases of the Yocto Project. Versions in grey are no longer actively maintained with
+security patches, but well-tested patches may still be accepted for them for
+significant issues.
-- 
2.34.1

[PATCH] Add SECURITY.md

[Marta Rybczynska]

Add a SECURITY.md filr with hints for security researchers and other
parties who might report potential security vulnerabilities.

Signed-off-by: Marta Rybczynska <marta.rybczynska@syslinbit.com>
---
 SECURITY.md | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)
 create mode 100644 SECURITY.md

diff --git a/SECURITY.md b/SECURITY.md
new file mode 100644
index 00000000..900da76e
--- /dev/null
+++ b/SECURITY.md
@@ -0,0 +1,17 @@
+How to Report a Vulnerability?
+==============================
+
+Please send a message to security AT yoctoproject DOT org, including as many details
+as possible: the layer or software module affected, the recipe and its version,
+and any example code, if available.
+
+Branches maintained with security fixes
+---------------------------------------
+
+See [https://wiki.yoctoproject.org/wiki/Stable_Release_and_LTS Stable release and LTS]
+for detailed info regarding the policies and maintenance of Stable branch.
+
+The [https://wiki.yoctoproject.org/wiki/Releases Release page] contains a list of all
+releases of the Yocto Project. Versions in grey are no longer actively maintained with
+security patches, but well-tested patches may still be accepted for them for
+significant issues.
-- 
2.39.2