[Buildroot] [PATCH RFC 0/2] Add security policy information

[Buildroot] [PATCH RFC 0/2] Add security policy information

[Titouan Christophe via buildroot]

Add basic security contacts for the Buildroot project, as per this
requirement from OpenSSF Best Practices:

> While active, the project documentation MUST contain security contacts. [OSPS-VM-02.01]
> Create a security.md (or similarly-named) file that contains security contacts for the project.

Titouan Christophe (2):
  docs/website: add security contact information on the homepage
  SECURITY.md: add new file

 SECURITY.md             | 16 ++++++++++++++++
 docs/website/index.html | 11 +++++++++++
 2 files changed, 27 insertions(+)
 create mode 100644 SECURITY.md

-- 
2.53.0

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

[Buildroot] [PATCH RFC 1/2] docs/website: add security contact information on the homepage

[Titouan Christophe via buildroot]

Signed-off-by: Titouan Christophe <titouan.christophe@mind.be>
---
 docs/website/index.html | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/docs/website/index.html b/docs/website/index.html
index d68436c721..027fd485e0 100644
--- a/docs/website/index.html
+++ b/docs/website/index.html
@@ -148,4 +148,15 @@
   </div>
 </div><!-- /container -->
 
+<div class="container">
+  <div class="row mt centered">
+    <div class="col-lg-6 col-lg-offset-3">
+      <h1>Security</h1>
+      <h3>To report a security vulnerability, please send an email to
+	<a href="mailto:security@buildroot.org">security@buildroot.org</a>.</h3>
+    </div>
+  </div><!-- /row -->
+  <hr>
+</div><!-- /container -->
+
 <!--#include file="footer.html" -->
-- 
2.53.0

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

[Buildroot] [PATCH RFC 2/2] SECURITY.md: add new file

[Titouan Christophe via buildroot]

This is an in-tree description of Buildroot's security policy

Signed-off-by: Titouan Christophe <titouan.christophe@mind.be>
---
 SECURITY.md | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)
 create mode 100644 SECURITY.md

diff --git a/SECURITY.md b/SECURITY.md
new file mode 100644
index 0000000000..6b955638df
--- /dev/null
+++ b/SECURITY.md
@@ -0,0 +1,16 @@
+# Security Policy
+
+## Reporting a Vulnerability
+
+To report a security vulnerability found in the Buildroot build system itself,
+please send an email to [security@buildroot.org](mailto:security@buildroot.org).
+
+## Vulnerabilities in packages
+
+Buildroot is a build system that cross-compiles packages from third-party
+sources. The Buildroot developers are not responsible for security
+vulnerabilities in these packages. Such vulnerabilities should be reported
+directly to the upstream project that maintains the affected package.
+
+When vulnerabilities are fixed upstream, send a patch to update the affected
+packages in Buildroot.
-- 
2.53.0

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH RFC 2/2] SECURITY.md: add new file

[Julien Olivain via buildroot]

Hi Titouan,

Thanks for the patch. I have few suggestions, see below.

On 24/03/2026 08:37, Titouan Christophe via buildroot wrote:
> This is an in-tree description of Buildroot's security policy
> 
> Signed-off-by: Titouan Christophe <titouan.christophe@mind.be>
> ---
>  SECURITY.md | 16 ++++++++++++++++
>  1 file changed, 16 insertions(+)
>  create mode 100644 SECURITY.md
> 
> diff --git a/SECURITY.md b/SECURITY.md
> new file mode 100644
> index 0000000000..6b955638df
> --- /dev/null
> +++ b/SECURITY.md
> @@ -0,0 +1,16 @@
> +# Security Policy
> +
> +## Reporting a Vulnerability
> +
> +To report a security vulnerability found in the Buildroot build system 
> itself,
> +please send an email to 
> [security@buildroot.org](mailto:security@buildroot.org).

Maybe we should make explicit this email is a private one.
For example:
"""
Note: this is a private mailing list contacting the Buildroot
maintainers.
"""

About Buildroot vulnerabilities, we could also mention that Buildroot
security advisories are announced publicly on the general mailing list.
https://lists.buildroot.org/mailman/listinfo/buildroot

Buildroot itself has a CPE to track its published vulnerabilities:
https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=buildroot

> +
> +## Vulnerabilities in packages
> +
> +Buildroot is a build system that cross-compiles packages from 
> third-party
> +sources. The Buildroot developers are not responsible for security
> +vulnerabilities in these packages. Such vulnerabilities should be 
> reported
> +directly to the upstream project that maintains the affected package.

Regarding vulnerability in packages, I would also suggest to add
here a comment suggesting Buildroot provides ways to monitor the
vulnerability of those packages:

"""
While Buildroot does not have the responsibility to fix those
upstream packages, Buildroot provide ways to its users to track
the published vulnerabilities of its packages included in the
generated images.

See for example:
https://nightly.buildroot.org/manual.html#_details_about_packages
https://autobuild.buildroot.org/stats/
https://security.buildroot.org/
"""

> +
> +When vulnerabilities are fixed upstream, send a patch to update the 
> affected
> +packages in Buildroot.
> --
> 2.53.0

What do you think?

Best regards,

Julien.
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot