Re: [Buildroot] [PATCH v2 2/2] SECURITY.md: add new file

[Julien Olivain via buildroot <buildroot@buildroot.org>]

Hi Fiona, Titouan, All,

On 26/03/2026 10:38, Fiona Klute via buildroot wrote:
> Hi Titouan!
> 
> Am 26.03.26 um 10:14 schrieb Titouan Christophe via buildroot:
>> This is an in-tree description of Buildroot's security policies
>> 
>> Signed-off-by: Titouan Christophe <titouan.christophe@mind.be>
>> ---
>> Changes v1->v2:
>> - Add references to the Buildroot User Manual for vulnerability 
>> tracking
>> - Add links to autobuilder pkg-stats and Buildroot security website
>> - Link to CPE info for Buildroot
>> - Explicitely say that security@buildroot.org is a private ML
>> ---
>>   SECURITY.md | 36 ++++++++++++++++++++++++++++++++++++
>>   1 file changed, 36 insertions(+)
>>   create mode 100644 SECURITY.md
>> 
>> diff --git a/SECURITY.md b/SECURITY.md
>> new file mode 100644
>> index 0000000000..6b21ffd2b9
>> --- /dev/null
>> +++ b/SECURITY.md
>> @@ -0,0 +1,36 @@
>> +# Security Policy
>> +
>> +## Security advisories
>> +
>> +Advisories for Buildroot security vulnerabilities are reported on the
>> +developer's mailing list. A public archive can be consulted on
>> +https://lists.buildroot.org/mailman/listinfo/buildroot
>> +
>> +Buildroot itself has a CPE to track its published vulnerabilities:
>> +https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=buildroot
>> +
>> +The Buildroot project provides some ways for its users to track known
>> +vulnerabilites in the packages included in the generated images, see:
>> +- https://nightly.buildroot.org/manual.html#_details_about_packages
>> +
>> +In addition, detailed informations for all packages integrated with 
>> Buildroot
>> +are updated daily on the following public web pages:
>> +- https://security.buildroot.org/
>> +- https://autobuild.buildroot.org/stats/
>> +
>> +## Reporting a Vulnerability
>> +
>> +To report a security vulnerability found in the Buildroot build 
>> system itself,
>> +please send an email to 
>> [security@buildroot.org](mailto:security@buildroot.org).
>> +
>> +This is a private mailing list contacting the Buildroot maintainers 
>> only.
>> +
>> +## Vulnerabilities in packages
>> +
>> +Buildroot is a build system that cross-compiles packages from 
>> third-party
>> +sources. The Buildroot developers are not responsible for security
>> +vulnerabilities in these packages. Such vulnerabilities should be 
>> reported
>> +directly to the upstream project that maintains the affected package.
>> +
>> +When vulnerabilities are fixed upstream, send a patch to update the 
>> affected
>> +packages in Buildroot.
> 
> I'm not sure what the ideal phrasing is, but I think it is important to 
> be clear here that bugfix patches (especially but not exclusively 
> security ones) may be merged independently of upstream releases, though 
> they should be sent upstream first. People following this ML probably 
> know that, but for someone new it may be an important hint.

While I agree with your comment, I still applied this patch as is.

I think this SECURITY.md file (which is here for "administrative" 
reasons) should remain
as short as possible, and all those security/bugfix patches details 
should preferably go
in the manual:
https://nightly.buildroot.org/manual.html#_contributing_to_buildroot
https://nightly.buildroot.org/manual.html#RELENG

Those sections needs few refreshes, to include the new LTS model, and 
the details to
manage those patches to help LTS maintainers. When those sections will 
be up to date,
we will simply add a link here pointing to those sections.

> Best regards,
> Fiona

Best regards,

Julien.
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot