Maintainer workflows discussions
 help / color / mirror / Atom feed
* [PATCH] Add SECURITY.md to redirect GitHub users to official security channels
@ 2026-07-14 10:46 Spuntik
  2026-07-14 12:17 ` Greg KH
  0 siblings, 1 reply; 2+ messages in thread
From: Spuntik @ 2026-07-14 10:46 UTC (permalink / raw)
  To: linux-kernel, workflows

From 9b140a7e28c8480ab51bc5441c4d40fa5e5a4e90 Mon Sep 17 00:00:00 2001
From: spuntik1205 <spuntik1205@gmail.com>
Date: Tue, 14 Jul 2026 12:22:32 +0200
Subject: [PATCH] Add SECURITY.md to redirect GitHub users to official
security channels

GitHub natively supports a `SECURITY.md` file in the root of the
repository. When this file is present, GitHub automatically
creates a "Security" tab for the repo and displays a prominent link to
this policy whenever a user attempts to open a new issue.

Since the Linux kernel mirror on GitHub receives a lot of traffic from
users who may not be familiar with the kernel's
mailing-list workflow, they might incorrectly attempt to report
security vulnerabilities through public GitHub channels.

This PR adds a standard `SECURITY.md` file that:
1. Explicitly asks users not to report vulnerabilities on GitHub.
2. Directs them to the official `security@kernel.org` mailing list.
3. Links directly to the official `security-bugs.rst` documentation on
kernel.org for proper reporting procedures.

While I understand the kernel does not use GitHub for development,
adding this file will help intercept confused GitHub users
and redirect them to the proper kernel security workflows.
---
 SECURITY.md | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)
 create mode 100644 SECURITY.md

diff --git a/SECURITY.md b/SECURITY.md
new file mode 100644
index 000000000000..80b0b46279f6
--- /dev/null
+++ b/SECURITY.md
@@ -0,0 +1,19 @@
+# Security Policy
+
+## Supported Versions
+
+The Linux kernel maintains several active branches. The mainline
kernel, stable kernels, and longterm maintenance (LTS) kernels are
currently supported with security updates.
+
+Please refer to the [active kernel
releases](https://www.kernel.org/category/releases.html) on kernel.org
to see which versions are currently receiving security updates.
+
+## Reporting a Vulnerability
+
+**Please do not report security vulnerabilities through public GitHub issues.**
+
+If you believe you have found a security vulnerability in the Linux
kernel, please report it to the Linux kernel security team.
+
+1. **Email the Security Team:** Send an email to `security@kernel.org`.
+2. **Read the Documentation:** For detailed instructions on what to
include in your report, acceptable disclosure timelines, and how the
kernel team handles security bugs, please read the official [Security
Bugs Documentation](https://www.kernel.org/doc/html/latest/admin-guide/security-bugs.html).
+3. **Hardware Vulnerabilities:** If you are reporting a hardware
vulnerability that affects the kernel, please refer to the specific
guidelines for [Hardware
vulnerabilities](https://www.kernel.org/doc/html/latest/process/embargoed-hardware-issues.html)
and contact the hardware security team at
`hardware-security@kernel.org` if appropriate.
+
+The security team will review your report and work with you and the
relevant subsystem maintainers to develop and release a fix. You can
typically expect an initial response within a few days.
-- 
2.55.0

^ permalink raw reply related	[flat|nested] 2+ messages in thread

* Re: [PATCH] Add SECURITY.md to redirect GitHub users to official security channels
  2026-07-14 10:46 [PATCH] Add SECURITY.md to redirect GitHub users to official security channels Spuntik
@ 2026-07-14 12:17 ` Greg KH
  0 siblings, 0 replies; 2+ messages in thread
From: Greg KH @ 2026-07-14 12:17 UTC (permalink / raw)
  To: Spuntik; +Cc: linux-kernel, workflows

On Tue, Jul 14, 2026 at 12:46:41PM +0200, Spuntik wrote:
> >From 9b140a7e28c8480ab51bc5441c4d40fa5e5a4e90 Mon Sep 17 00:00:00 2001
> From: spuntik1205 <spuntik1205@gmail.com>
> Date: Tue, 14 Jul 2026 12:22:32 +0200
> Subject: [PATCH] Add SECURITY.md to redirect GitHub users to official
> security channels
> 
> GitHub natively supports a `SECURITY.md` file in the root of the
> repository. When this file is present, GitHub automatically
> creates a "Security" tab for the repo and displays a prominent link to
> this policy whenever a user attempts to open a new issue.
> 
> Since the Linux kernel mirror on GitHub receives a lot of traffic from
> users who may not be familiar with the kernel's
> mailing-list workflow, they might incorrectly attempt to report
> security vulnerabilities through public GitHub channels.
> 
> This PR adds a standard `SECURITY.md` file that:
> 1. Explicitly asks users not to report vulnerabilities on GitHub.

Do people actually do this?  If so, that should be disabled as no one
looks at it.

> 2. Directs them to the official `security@kernel.org` mailing list.

No, you need to read the security documentation which tells you how to
do this.

> 3. Links directly to the official `security-bugs.rst` documentation on
> kernel.org for proper reporting procedures.

That's better, but really, step 2 is not correct.

> While I understand the kernel does not use GitHub for development,
> adding this file will help intercept confused GitHub users
> and redirect them to the proper kernel security workflows.
> ---

No signed-off-by or real authorship information?

And no, we don't add files for github only, sorry.

>  SECURITY.md | 19 +++++++++++++++++++
>  1 file changed, 19 insertions(+)
>  create mode 100644 SECURITY.md
> 
> diff --git a/SECURITY.md b/SECURITY.md
> new file mode 100644
> index 000000000000..80b0b46279f6
> --- /dev/null
> +++ b/SECURITY.md
> @@ -0,0 +1,19 @@
> +# Security Policy
> +
> +## Supported Versions
> +
> +The Linux kernel maintains several active branches. The mainline
> kernel, stable kernels, and longterm maintenance (LTS) kernels are
> currently supported with security updates.
> +
> +Please refer to the [active kernel
> releases](https://www.kernel.org/category/releases.html) on kernel.org
> to see which versions are currently receiving security updates.
> +
> +## Reporting a Vulnerability
> +
> +**Please do not report security vulnerabilities through public GitHub issues.**
> +
> +If you believe you have found a security vulnerability in the Linux
> kernel, please report it to the Linux kernel security team.
> +
> +1. **Email the Security Team:** Send an email to `security@kernel.org`.
> +2. **Read the Documentation:** For detailed instructions on what to
> include in your report, acceptable disclosure timelines, and how the
> kernel team handles security bugs, please read the official [Security
> Bugs Documentation](https://www.kernel.org/doc/html/latest/admin-guide/security-bugs.html).
> +3. **Hardware Vulnerabilities:** If you are reporting a hardware
> vulnerability that affects the kernel, please refer to the specific
> guidelines for [Hardware
> vulnerabilities](https://www.kernel.org/doc/html/latest/process/embargoed-hardware-issues.html)
> and contact the hardware security team at
> `hardware-security@kernel.org` if appropriate.
> +
> +The security team will review your report and work with you and the
> relevant subsystem maintainers to develop and release a fix. You can
> typically expect an initial response within a few days.

Really?  We don't provide any QoS guarantees :)

thanks,

greg k-h

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2026-07-14 12:18 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-07-14 10:46 [PATCH] Add SECURITY.md to redirect GitHub users to official security channels Spuntik
2026-07-14 12:17 ` Greg KH

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox