From: Paul Barker <paul@pbarker.dev>
To: docs@lists.yoctoproject.org
Cc: Marta Rybczynska <marta.rybczynska@ygreky.com>,
Paul Barker <paul@pbarker.dev>
Subject: [PATCH v2 3/3] security-team: Add section on multi-project embargoes
Date: Wed, 03 Jun 2026 20:45:19 +0100 [thread overview]
Message-ID: <20260603-sec-team-v2-3-ee7d2016fbf4@pbarker.dev> (raw)
In-Reply-To: <20260603-sec-team-v2-0-ee7d2016fbf4@pbarker.dev>
This text is migrated from the Security private reporting wiki page [1],
originally written by Marta.
[1]: https://wiki.yoctoproject.org/wiki/index.php?title=Security_private_reporting&type=revision&diff=86034&oldid=86033
Cc: Marta Rybczynska <marta.rybczynska@ygreky.com>
Signed-off-by: Paul Barker <paul@pbarker.dev>
---
documentation/security-reference/security-team.rst | 22 ++++++++++++++++++++++
1 file changed, 22 insertions(+)
diff --git a/documentation/security-reference/security-team.rst b/documentation/security-reference/security-team.rst
index c83ada17eb56..169d503e94af 100644
--- a/documentation/security-reference/security-team.rst
+++ b/documentation/security-reference/security-team.rst
@@ -80,6 +80,28 @@ vulnerability as quickly as possible.
The Yocto Project Security team adheres to the 90 days disclosure policy
by default. An increase of the embargo time is possible when necessary.
+Handling multi-project embargoes
+--------------------------------
+
+In rare cases, a severe security issue affects multiple projects. This might be
+numerous projects having a similar issue because of design, coding pattern, or
+reuse of the same code (an example of this situation is :cve_nist:`2023-44487`
+where multiple web servers share a design weakness). It might also be a
+high-profile issue in a commonly used library (like OpenSSL). In such cases,
+the project, learning first about the issue, might decide to notify other
+affected projects confidentially so that they come up with a synchronized fix.
+It might also be the affected project informing major distributions to roll out
+the update simultaneously.
+
+Such notifications happen over confidential, non-public means. Typically, the
+project initiating this "embargo" directly notifies a selected number of people
+from each project, including a subset of the security team. When Yocto Project
+is a part of such a notified group, developers prepare fixes on separate
+infrastructure and test it. They might also include additional developers and
+domain experts who can help with the fix and eventual regressions. When the
+embargo is lifted, they send a patch to the relevant public list, and the usual
+review process starts.
+
Security Team Members
=====================
--
2.43.0
next prev parent reply other threads:[~2026-06-03 19:45 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-03 19:45 [PATCH v2 0/3] Security team documentation updates Paul Barker
2026-06-03 19:45 ` [PATCH v2 1/3] security-team: Update membership list Paul Barker
2026-06-03 19:45 ` [PATCH v2 2/3] security-team: Tidy and update section on security team operations Paul Barker
2026-06-04 5:33 ` [docs] " Marta Rybczynska
2026-06-04 8:22 ` Paul Barker
2026-06-03 19:45 ` Paul Barker [this message]
2026-06-09 7:27 ` [PATCH v2 0/3] Security team documentation updates Antonin Godard
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260603-sec-team-v2-3-ee7d2016fbf4@pbarker.dev \
--to=paul@pbarker.dev \
--cc=docs@lists.yoctoproject.org \
--cc=marta.rybczynska@ygreky.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox