From: Julien Olivain via buildroot <buildroot@buildroot.org>
To: Titouan Christophe <titouan.christophe@mind.be>
Cc: buildroot@buildroot.org,
Thomas Petazzoni <thomas.petazzoni@bootlin.com>,
Romain Naour <romain.naour@gmail.com>,
Thomas Perale <thomas.perale@mind.be>,
Marcus Hoffmann <bubu@bubu1.eu>
Subject: Re: [Buildroot] [PATCH RFC 2/2] SECURITY.md: add new file
Date: Tue, 24 Mar 2026 19:30:22 +0100 [thread overview]
Message-ID: <481d246b5592f0cc3833e11468b453c8@free.fr> (raw)
In-Reply-To: <20260324073706.654995-3-titouan.christophe@mind.be>
Hi Titouan,
Thanks for the patch. I have few suggestions, see below.
On 24/03/2026 08:37, Titouan Christophe via buildroot wrote:
> This is an in-tree description of Buildroot's security policy
>
> Signed-off-by: Titouan Christophe <titouan.christophe@mind.be>
> ---
> SECURITY.md | 16 ++++++++++++++++
> 1 file changed, 16 insertions(+)
> create mode 100644 SECURITY.md
>
> diff --git a/SECURITY.md b/SECURITY.md
> new file mode 100644
> index 0000000000..6b955638df
> --- /dev/null
> +++ b/SECURITY.md
> @@ -0,0 +1,16 @@
> +# Security Policy
> +
> +## Reporting a Vulnerability
> +
> +To report a security vulnerability found in the Buildroot build system
> itself,
> +please send an email to
> [security@buildroot.org](mailto:security@buildroot.org).
Maybe we should make explicit this email is a private one.
For example:
"""
Note: this is a private mailing list contacting the Buildroot
maintainers.
"""
About Buildroot vulnerabilities, we could also mention that Buildroot
security advisories are announced publicly on the general mailing list.
https://lists.buildroot.org/mailman/listinfo/buildroot
Buildroot itself has a CPE to track its published vulnerabilities:
https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=buildroot
> +
> +## Vulnerabilities in packages
> +
> +Buildroot is a build system that cross-compiles packages from
> third-party
> +sources. The Buildroot developers are not responsible for security
> +vulnerabilities in these packages. Such vulnerabilities should be
> reported
> +directly to the upstream project that maintains the affected package.
Regarding vulnerability in packages, I would also suggest to add
here a comment suggesting Buildroot provides ways to monitor the
vulnerability of those packages:
"""
While Buildroot does not have the responsibility to fix those
upstream packages, Buildroot provide ways to its users to track
the published vulnerabilities of its packages included in the
generated images.
See for example:
https://nightly.buildroot.org/manual.html#_details_about_packages
https://autobuild.buildroot.org/stats/
https://security.buildroot.org/
"""
> +
> +When vulnerabilities are fixed upstream, send a patch to update the
> affected
> +packages in Buildroot.
> --
> 2.53.0
What do you think?
Best regards,
Julien.
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
prev parent reply other threads:[~2026-03-24 18:30 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-03-24 7:37 [Buildroot] [PATCH RFC 0/2] Add security policy information Titouan Christophe via buildroot
2026-03-24 7:37 ` [Buildroot] [PATCH RFC 1/2] docs/website: add security contact information on the homepage Titouan Christophe via buildroot
2026-03-24 7:37 ` [Buildroot] [PATCH RFC 2/2] SECURITY.md: add new file Titouan Christophe via buildroot
2026-03-24 18:30 ` Julien Olivain via buildroot [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=481d246b5592f0cc3833e11468b453c8@free.fr \
--to=buildroot@buildroot.org \
--cc=bubu@bubu1.eu \
--cc=ju.o@free.fr \
--cc=romain.naour@gmail.com \
--cc=thomas.perale@mind.be \
--cc=thomas.petazzoni@bootlin.com \
--cc=titouan.christophe@mind.be \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox