[Buildroot] [PATCH v2 0/2] Add security policy information

[Buildroot] [PATCH v2 0/2] Add security policy information

[Titouan Christophe via buildroot]

As part of the effort to obtain the OpenSSF Best Practices badge for the
Buildroot project, add basic security contacts for the Buildroot project.

This helps fulfilling the following requirements:

> While active, the project documentation MUST contain security contacts. [OSPS-VM-02.01]
> Create a security.md (or similarly-named) file that contains security contacts for the project.

> The project MUST publish the process for reporting vulnerabilities on the project site.

> If private vulnerability reports are supported, the project MUST include
> how to send the information in a way that is kept private.

Titouan Christophe (2):
  docs/website: add security contact information on the homepage
  SECURITY.md: add new file

 SECURITY.md             | 36 ++++++++++++++++++++++++++++++++++++
 docs/website/index.html | 11 +++++++++++
 2 files changed, 47 insertions(+)
 create mode 100644 SECURITY.md
-- 
2.53.0

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

[Buildroot] [PATCH v2 1/2] docs/website: add security contact information on the homepage

[Titouan Christophe via buildroot]

Signed-off-by: Titouan Christophe <titouan.christophe@mind.be>
---
(no changes since v1 in this patch)
---
 docs/website/index.html | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/docs/website/index.html b/docs/website/index.html
index d68436c721..027fd485e0 100644
--- a/docs/website/index.html
+++ b/docs/website/index.html
@@ -148,4 +148,15 @@
   </div>
 </div><!-- /container -->
 
+<div class="container">
+  <div class="row mt centered">
+    <div class="col-lg-6 col-lg-offset-3">
+      <h1>Security</h1>
+      <h3>To report a security vulnerability, please send an email to
+	<a href="mailto:security@buildroot.org">security@buildroot.org</a>.</h3>
+    </div>
+  </div><!-- /row -->
+  <hr>
+</div><!-- /container -->
+
 <!--#include file="footer.html" -->
-- 
2.53.0

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

[Buildroot] [PATCH v2 2/2] SECURITY.md: add new file

[Titouan Christophe via buildroot]

This is an in-tree description of Buildroot's security policies

Signed-off-by: Titouan Christophe <titouan.christophe@mind.be>
---
Changes v1->v2:
- Add references to the Buildroot User Manual for vulnerability tracking
- Add links to autobuilder pkg-stats and Buildroot security website
- Link to CPE info for Buildroot
- Explicitely say that security@buildroot.org is a private ML
---
 SECURITY.md | 36 ++++++++++++++++++++++++++++++++++++
 1 file changed, 36 insertions(+)
 create mode 100644 SECURITY.md

diff --git a/SECURITY.md b/SECURITY.md
new file mode 100644
index 0000000000..6b21ffd2b9
--- /dev/null
+++ b/SECURITY.md
@@ -0,0 +1,36 @@
+# Security Policy
+
+## Security advisories
+
+Advisories for Buildroot security vulnerabilities are reported on the
+developer's mailing list. A public archive can be consulted on
+https://lists.buildroot.org/mailman/listinfo/buildroot
+
+Buildroot itself has a CPE to track its published vulnerabilities:
+https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=buildroot
+
+The Buildroot project provides some ways for its users to track known
+vulnerabilites in the packages included in the generated images, see:
+- https://nightly.buildroot.org/manual.html#_details_about_packages
+
+In addition, detailed informations for all packages integrated with Buildroot
+are updated daily on the following public web pages:
+- https://security.buildroot.org/
+- https://autobuild.buildroot.org/stats/
+
+## Reporting a Vulnerability
+
+To report a security vulnerability found in the Buildroot build system itself,
+please send an email to [security@buildroot.org](mailto:security@buildroot.org).
+
+This is a private mailing list contacting the Buildroot maintainers only.
+
+## Vulnerabilities in packages
+
+Buildroot is a build system that cross-compiles packages from third-party
+sources. The Buildroot developers are not responsible for security
+vulnerabilities in these packages. Such vulnerabilities should be reported
+directly to the upstream project that maintains the affected package.
+
+When vulnerabilities are fixed upstream, send a patch to update the affected
+packages in Buildroot.
-- 
2.53.0

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH v2 2/2] SECURITY.md: add new file

[Fiona Klute via buildroot]

Hi Titouan!

Am 26.03.26 um 10:14 schrieb Titouan Christophe via buildroot:
> This is an in-tree description of Buildroot's security policies
> 
> Signed-off-by: Titouan Christophe <titouan.christophe@mind.be>
> ---
> Changes v1->v2:
> - Add references to the Buildroot User Manual for vulnerability tracking
> - Add links to autobuilder pkg-stats and Buildroot security website
> - Link to CPE info for Buildroot
> - Explicitely say that security@buildroot.org is a private ML
> ---
>   SECURITY.md | 36 ++++++++++++++++++++++++++++++++++++
>   1 file changed, 36 insertions(+)
>   create mode 100644 SECURITY.md
> 
> diff --git a/SECURITY.md b/SECURITY.md
> new file mode 100644
> index 0000000000..6b21ffd2b9
> --- /dev/null
> +++ b/SECURITY.md
> @@ -0,0 +1,36 @@
> +# Security Policy
> +
> +## Security advisories
> +
> +Advisories for Buildroot security vulnerabilities are reported on the
> +developer's mailing list. A public archive can be consulted on
> +https://lists.buildroot.org/mailman/listinfo/buildroot
> +
> +Buildroot itself has a CPE to track its published vulnerabilities:
> +https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=buildroot
> +
> +The Buildroot project provides some ways for its users to track known
> +vulnerabilites in the packages included in the generated images, see:
> +- https://nightly.buildroot.org/manual.html#_details_about_packages
> +
> +In addition, detailed informations for all packages integrated with Buildroot
> +are updated daily on the following public web pages:
> +- https://security.buildroot.org/
> +- https://autobuild.buildroot.org/stats/
> +
> +## Reporting a Vulnerability
> +
> +To report a security vulnerability found in the Buildroot build system itself,
> +please send an email to [security@buildroot.org](mailto:security@buildroot.org).
> +
> +This is a private mailing list contacting the Buildroot maintainers only.
> +
> +## Vulnerabilities in packages
> +
> +Buildroot is a build system that cross-compiles packages from third-party
> +sources. The Buildroot developers are not responsible for security
> +vulnerabilities in these packages. Such vulnerabilities should be reported
> +directly to the upstream project that maintains the affected package.
> +
> +When vulnerabilities are fixed upstream, send a patch to update the affected
> +packages in Buildroot.

I'm not sure what the ideal phrasing is, but I think it is important to 
be clear here that bugfix patches (especially but not exclusively 
security ones) may be merged independently of upstream releases, though 
they should be sent upstream first. People following this ML probably 
know that, but for someone new it may be an important hint.

Best regards,
Fiona
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH v2 1/2] docs/website: add security contact information on the homepage

[Julien Olivain via buildroot]

On 26/03/2026 09:14, Titouan Christophe via buildroot wrote:
> Signed-off-by: Titouan Christophe <titouan.christophe@mind.be>

Series applied to master, thanks.
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH v2 2/2] SECURITY.md: add new file

[Julien Olivain via buildroot]

Hi Fiona, Titouan, All,

On 26/03/2026 10:38, Fiona Klute via buildroot wrote:
> Hi Titouan!
> 
> Am 26.03.26 um 10:14 schrieb Titouan Christophe via buildroot:
>> This is an in-tree description of Buildroot's security policies
>> 
>> Signed-off-by: Titouan Christophe <titouan.christophe@mind.be>
>> ---
>> Changes v1->v2:
>> - Add references to the Buildroot User Manual for vulnerability 
>> tracking
>> - Add links to autobuilder pkg-stats and Buildroot security website
>> - Link to CPE info for Buildroot
>> - Explicitely say that security@buildroot.org is a private ML
>> ---
>>   SECURITY.md | 36 ++++++++++++++++++++++++++++++++++++
>>   1 file changed, 36 insertions(+)
>>   create mode 100644 SECURITY.md
>> 
>> diff --git a/SECURITY.md b/SECURITY.md
>> new file mode 100644
>> index 0000000000..6b21ffd2b9
>> --- /dev/null
>> +++ b/SECURITY.md
>> @@ -0,0 +1,36 @@
>> +# Security Policy
>> +
>> +## Security advisories
>> +
>> +Advisories for Buildroot security vulnerabilities are reported on the
>> +developer's mailing list. A public archive can be consulted on
>> +https://lists.buildroot.org/mailman/listinfo/buildroot
>> +
>> +Buildroot itself has a CPE to track its published vulnerabilities:
>> +https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=buildroot
>> +
>> +The Buildroot project provides some ways for its users to track known
>> +vulnerabilites in the packages included in the generated images, see:
>> +- https://nightly.buildroot.org/manual.html#_details_about_packages
>> +
>> +In addition, detailed informations for all packages integrated with 
>> Buildroot
>> +are updated daily on the following public web pages:
>> +- https://security.buildroot.org/
>> +- https://autobuild.buildroot.org/stats/
>> +
>> +## Reporting a Vulnerability
>> +
>> +To report a security vulnerability found in the Buildroot build 
>> system itself,
>> +please send an email to 
>> [security@buildroot.org](mailto:security@buildroot.org).
>> +
>> +This is a private mailing list contacting the Buildroot maintainers 
>> only.
>> +
>> +## Vulnerabilities in packages
>> +
>> +Buildroot is a build system that cross-compiles packages from 
>> third-party
>> +sources. The Buildroot developers are not responsible for security
>> +vulnerabilities in these packages. Such vulnerabilities should be 
>> reported
>> +directly to the upstream project that maintains the affected package.
>> +
>> +When vulnerabilities are fixed upstream, send a patch to update the 
>> affected
>> +packages in Buildroot.
> 
> I'm not sure what the ideal phrasing is, but I think it is important to 
> be clear here that bugfix patches (especially but not exclusively 
> security ones) may be merged independently of upstream releases, though 
> they should be sent upstream first. People following this ML probably 
> know that, but for someone new it may be an important hint.

While I agree with your comment, I still applied this patch as is.

I think this SECURITY.md file (which is here for "administrative" 
reasons) should remain
as short as possible, and all those security/bugfix patches details 
should preferably go
in the manual:
https://nightly.buildroot.org/manual.html#_contributing_to_buildroot
https://nightly.buildroot.org/manual.html#RELENG

Those sections needs few refreshes, to include the new LTS model, and 
the details to
manage those patches to help LTS maintainers. When those sections will 
be up to date,
we will simply add a link here pointing to those sections.

> Best regards,
> Fiona

Best regards,

Julien.
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH v2 2/2] SECURITY.md: add new file

[Thomas Perale via buildroot]

In reply of:
> This is an in-tree description of Buildroot's security policies
> 
> Signed-off-by: Titouan Christophe <titouan.christophe@mind.be>

Applied to 2025.02.x & 2026.02.x. Thanks

> ---
> Changes v1->v2:
> - Add references to the Buildroot User Manual for vulnerability tracking
> - Add links to autobuilder pkg-stats and Buildroot security website
> - Link to CPE info for Buildroot
> - Explicitely say that security@buildroot.org is a private ML
> ---
>  SECURITY.md | 36 ++++++++++++++++++++++++++++++++++++
>  1 file changed, 36 insertions(+)
>  create mode 100644 SECURITY.md
> 
> diff --git a/SECURITY.md b/SECURITY.md
> new file mode 100644
> index 0000000000..6b21ffd2b9
> --- /dev/null
> +++ b/SECURITY.md
> @@ -0,0 +1,36 @@
> +# Security Policy
> +
> +## Security advisories
> +
> +Advisories for Buildroot security vulnerabilities are reported on the
> +developer's mailing list. A public archive can be consulted on
> +https://lists.buildroot.org/mailman/listinfo/buildroot
> +
> +Buildroot itself has a CPE to track its published vulnerabilities:
> +https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=buildroot
> +
> +The Buildroot project provides some ways for its users to track known
> +vulnerabilites in the packages included in the generated images, see:
> +- https://nightly.buildroot.org/manual.html#_details_about_packages
> +
> +In addition, detailed informations for all packages integrated with Buildroot
> +are updated daily on the following public web pages:
> +- https://security.buildroot.org/
> +- https://autobuild.buildroot.org/stats/
> +
> +## Reporting a Vulnerability
> +
> +To report a security vulnerability found in the Buildroot build system itself,
> +please send an email to [security@buildroot.org](mailto:security@buildroot.org).
> +
> +This is a private mailing list contacting the Buildroot maintainers only.
> +
> +## Vulnerabilities in packages
> +
> +Buildroot is a build system that cross-compiles packages from third-party
> +sources. The Buildroot developers are not responsible for security
> +vulnerabilities in these packages. Such vulnerabilities should be reported
> +directly to the upstream project that maintains the affected package.
> +
> +When vulnerabilities are fixed upstream, send a patch to update the affected
> +packages in Buildroot.
> -- 
> 2.53.0
> 
> _______________________________________________
> buildroot mailing list
> buildroot@buildroot.org
> https://lists.buildroot.org/mailman/listinfo/buildroot
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot