From: Greg KH <gregkh@linuxfoundation.org>
To: Spuntik <spuntik1205@gmail.com>
Cc: linux-kernel@vger.kernel.org, workflows@vger.kernel.org
Subject: Re: [PATCH] Add SECURITY.md to redirect GitHub users to official security channels
Date: Tue, 14 Jul 2026 14:17:58 +0200 [thread overview]
Message-ID: <2026071415-washboard-seventeen-c7bf@gregkh> (raw)
In-Reply-To: <CAA7kybvhDafxcsOv-JTeB5NfqBgiTivp671yMsnHeS8T8MOO6Q@mail.gmail.com>
On Tue, Jul 14, 2026 at 12:46:41PM +0200, Spuntik wrote:
> >From 9b140a7e28c8480ab51bc5441c4d40fa5e5a4e90 Mon Sep 17 00:00:00 2001
> From: spuntik1205 <spuntik1205@gmail.com>
> Date: Tue, 14 Jul 2026 12:22:32 +0200
> Subject: [PATCH] Add SECURITY.md to redirect GitHub users to official
> security channels
>
> GitHub natively supports a `SECURITY.md` file in the root of the
> repository. When this file is present, GitHub automatically
> creates a "Security" tab for the repo and displays a prominent link to
> this policy whenever a user attempts to open a new issue.
>
> Since the Linux kernel mirror on GitHub receives a lot of traffic from
> users who may not be familiar with the kernel's
> mailing-list workflow, they might incorrectly attempt to report
> security vulnerabilities through public GitHub channels.
>
> This PR adds a standard `SECURITY.md` file that:
> 1. Explicitly asks users not to report vulnerabilities on GitHub.
Do people actually do this? If so, that should be disabled as no one
looks at it.
> 2. Directs them to the official `security@kernel.org` mailing list.
No, you need to read the security documentation which tells you how to
do this.
> 3. Links directly to the official `security-bugs.rst` documentation on
> kernel.org for proper reporting procedures.
That's better, but really, step 2 is not correct.
> While I understand the kernel does not use GitHub for development,
> adding this file will help intercept confused GitHub users
> and redirect them to the proper kernel security workflows.
> ---
No signed-off-by or real authorship information?
And no, we don't add files for github only, sorry.
> SECURITY.md | 19 +++++++++++++++++++
> 1 file changed, 19 insertions(+)
> create mode 100644 SECURITY.md
>
> diff --git a/SECURITY.md b/SECURITY.md
> new file mode 100644
> index 000000000000..80b0b46279f6
> --- /dev/null
> +++ b/SECURITY.md
> @@ -0,0 +1,19 @@
> +# Security Policy
> +
> +## Supported Versions
> +
> +The Linux kernel maintains several active branches. The mainline
> kernel, stable kernels, and longterm maintenance (LTS) kernels are
> currently supported with security updates.
> +
> +Please refer to the [active kernel
> releases](https://www.kernel.org/category/releases.html) on kernel.org
> to see which versions are currently receiving security updates.
> +
> +## Reporting a Vulnerability
> +
> +**Please do not report security vulnerabilities through public GitHub issues.**
> +
> +If you believe you have found a security vulnerability in the Linux
> kernel, please report it to the Linux kernel security team.
> +
> +1. **Email the Security Team:** Send an email to `security@kernel.org`.
> +2. **Read the Documentation:** For detailed instructions on what to
> include in your report, acceptable disclosure timelines, and how the
> kernel team handles security bugs, please read the official [Security
> Bugs Documentation](https://www.kernel.org/doc/html/latest/admin-guide/security-bugs.html).
> +3. **Hardware Vulnerabilities:** If you are reporting a hardware
> vulnerability that affects the kernel, please refer to the specific
> guidelines for [Hardware
> vulnerabilities](https://www.kernel.org/doc/html/latest/process/embargoed-hardware-issues.html)
> and contact the hardware security team at
> `hardware-security@kernel.org` if appropriate.
> +
> +The security team will review your report and work with you and the
> relevant subsystem maintainers to develop and release a fix. You can
> typically expect an initial response within a few days.
Really? We don't provide any QoS guarantees :)
thanks,
greg k-h
prev parent reply other threads:[~2026-07-14 12:18 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-07-14 10:46 [PATCH] Add SECURITY.md to redirect GitHub users to official security channels Spuntik
2026-07-14 12:17 ` Greg KH [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=2026071415-washboard-seventeen-c7bf@gregkh \
--to=gregkh@linuxfoundation.org \
--cc=linux-kernel@vger.kernel.org \
--cc=spuntik1205@gmail.com \
--cc=workflows@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox