[Buildroot] [PATCH v2 2/2] SECURITY.md: add new file
Fiona Klute
fiona.klute at gmx.de
Thu Mar 26 09:38:12 UTC 2026
Hi Titouan!
Am 26.03.26 um 10:14 schrieb Titouan Christophe via buildroot:
> This is an in-tree description of Buildroot's security policies
>
> Signed-off-by: Titouan Christophe <titouan.christophe at mind.be>
> ---
> Changes v1->v2:
> - Add references to the Buildroot User Manual for vulnerability tracking
> - Add links to autobuilder pkg-stats and Buildroot security website
> - Link to CPE info for Buildroot
> - Explicitely say that security at buildroot.org is a private ML
> ---
> SECURITY.md | 36 ++++++++++++++++++++++++++++++++++++
> 1 file changed, 36 insertions(+)
> create mode 100644 SECURITY.md
>
> diff --git a/SECURITY.md b/SECURITY.md
> new file mode 100644
> index 0000000000..6b21ffd2b9
> --- /dev/null
> +++ b/SECURITY.md
> @@ -0,0 +1,36 @@
> +# Security Policy
> +
> +## Security advisories
> +
> +Advisories for Buildroot security vulnerabilities are reported on the
> +developer's mailing list. A public archive can be consulted on
> +https://lists.buildroot.org/mailman/listinfo/buildroot
> +
> +Buildroot itself has a CPE to track its published vulnerabilities:
> +https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=buildroot
> +
> +The Buildroot project provides some ways for its users to track known
> +vulnerabilites in the packages included in the generated images, see:
> +- https://nightly.buildroot.org/manual.html#_details_about_packages
> +
> +In addition, detailed informations for all packages integrated with Buildroot
> +are updated daily on the following public web pages:
> +- https://security.buildroot.org/
> +- https://autobuild.buildroot.org/stats/
> +
> +## Reporting a Vulnerability
> +
> +To report a security vulnerability found in the Buildroot build system itself,
> +please send an email to [security at buildroot.org](mailto:security at buildroot.org).
> +
> +This is a private mailing list contacting the Buildroot maintainers only.
> +
> +## Vulnerabilities in packages
> +
> +Buildroot is a build system that cross-compiles packages from third-party
> +sources. The Buildroot developers are not responsible for security
> +vulnerabilities in these packages. Such vulnerabilities should be reported
> +directly to the upstream project that maintains the affected package.
> +
> +When vulnerabilities are fixed upstream, send a patch to update the affected
> +packages in Buildroot.
I'm not sure what the ideal phrasing is, but I think it is important to
be clear here that bugfix patches (especially but not exclusively
security ones) may be merged independently of upstream releases, though
they should be sent upstream first. People following this ML probably
know that, but for someone new it may be an important hint.
Best regards,
Fiona
More information about the buildroot
mailing list