From: Thomas Perale via buildroot <buildroot@buildroot.org>
To: Titouan Christophe <titouan.christophe@mind.be>
Cc: Thomas Perale <thomas.perale@mind.be>, buildroot@buildroot.org
Subject: Re: [Buildroot] [PATCH v2 2/2] SECURITY.md: add new file
Date: Fri, 3 Apr 2026 12:28:12 +0200 [thread overview]
Message-ID: <20260403102812.210516-1-thomas.perale@mind.be> (raw)
In-Reply-To: <20260326081422.945900-3-titouan.christophe@mind.be>
In reply of:
> This is an in-tree description of Buildroot's security policies
>
> Signed-off-by: Titouan Christophe <titouan.christophe@mind.be>
Applied to 2025.02.x & 2026.02.x. Thanks
> ---
> Changes v1->v2:
> - Add references to the Buildroot User Manual for vulnerability tracking
> - Add links to autobuilder pkg-stats and Buildroot security website
> - Link to CPE info for Buildroot
> - Explicitely say that security@buildroot.org is a private ML
> ---
> SECURITY.md | 36 ++++++++++++++++++++++++++++++++++++
> 1 file changed, 36 insertions(+)
> create mode 100644 SECURITY.md
>
> diff --git a/SECURITY.md b/SECURITY.md
> new file mode 100644
> index 0000000000..6b21ffd2b9
> --- /dev/null
> +++ b/SECURITY.md
> @@ -0,0 +1,36 @@
> +# Security Policy
> +
> +## Security advisories
> +
> +Advisories for Buildroot security vulnerabilities are reported on the
> +developer's mailing list. A public archive can be consulted on
> +https://lists.buildroot.org/mailman/listinfo/buildroot
> +
> +Buildroot itself has a CPE to track its published vulnerabilities:
> +https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=buildroot
> +
> +The Buildroot project provides some ways for its users to track known
> +vulnerabilites in the packages included in the generated images, see:
> +- https://nightly.buildroot.org/manual.html#_details_about_packages
> +
> +In addition, detailed informations for all packages integrated with Buildroot
> +are updated daily on the following public web pages:
> +- https://security.buildroot.org/
> +- https://autobuild.buildroot.org/stats/
> +
> +## Reporting a Vulnerability
> +
> +To report a security vulnerability found in the Buildroot build system itself,
> +please send an email to [security@buildroot.org](mailto:security@buildroot.org).
> +
> +This is a private mailing list contacting the Buildroot maintainers only.
> +
> +## Vulnerabilities in packages
> +
> +Buildroot is a build system that cross-compiles packages from third-party
> +sources. The Buildroot developers are not responsible for security
> +vulnerabilities in these packages. Such vulnerabilities should be reported
> +directly to the upstream project that maintains the affected package.
> +
> +When vulnerabilities are fixed upstream, send a patch to update the affected
> +packages in Buildroot.
> --
> 2.53.0
>
> _______________________________________________
> buildroot mailing list
> buildroot@buildroot.org
> https://lists.buildroot.org/mailman/listinfo/buildroot
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
prev parent reply other threads:[~2026-04-03 10:28 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-03-26 8:14 [Buildroot] [PATCH v2 0/2] Add security policy information Titouan Christophe via buildroot
2026-03-26 8:14 ` [Buildroot] [PATCH v2 1/2] docs/website: add security contact information on the homepage Titouan Christophe via buildroot
2026-03-26 20:16 ` Julien Olivain via buildroot
2026-03-26 8:14 ` [Buildroot] [PATCH v2 2/2] SECURITY.md: add new file Titouan Christophe via buildroot
2026-03-26 9:38 ` Fiona Klute via buildroot
2026-03-26 20:24 ` Julien Olivain via buildroot
2026-04-03 10:28 ` Thomas Perale via buildroot [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260403102812.210516-1-thomas.perale@mind.be \
--to=buildroot@buildroot.org \
--cc=thomas.perale@mind.be \
--cc=titouan.christophe@mind.be \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox