[Buildroot] [PATCH v2 2/2] SECURITY.md: add new file
Julien Olivain
ju.o at free.fr
Thu Mar 26 20:24:30 UTC 2026
Hi Fiona, Titouan, All,
On 26/03/2026 10:38, Fiona Klute via buildroot wrote:
> Hi Titouan!
>
> Am 26.03.26 um 10:14 schrieb Titouan Christophe via buildroot:
>> This is an in-tree description of Buildroot's security policies
>>
>> Signed-off-by: Titouan Christophe <titouan.christophe at mind.be>
>> ---
>> Changes v1->v2:
>> - Add references to the Buildroot User Manual for vulnerability
>> tracking
>> - Add links to autobuilder pkg-stats and Buildroot security website
>> - Link to CPE info for Buildroot
>> - Explicitely say that security at buildroot.org is a private ML
>> ---
>> SECURITY.md | 36 ++++++++++++++++++++++++++++++++++++
>> 1 file changed, 36 insertions(+)
>> create mode 100644 SECURITY.md
>>
>> diff --git a/SECURITY.md b/SECURITY.md
>> new file mode 100644
>> index 0000000000..6b21ffd2b9
>> --- /dev/null
>> +++ b/SECURITY.md
>> @@ -0,0 +1,36 @@
>> +# Security Policy
>> +
>> +## Security advisories
>> +
>> +Advisories for Buildroot security vulnerabilities are reported on the
>> +developer's mailing list. A public archive can be consulted on
>> +https://lists.buildroot.org/mailman/listinfo/buildroot
>> +
>> +Buildroot itself has a CPE to track its published vulnerabilities:
>> +https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=buildroot
>> +
>> +The Buildroot project provides some ways for its users to track known
>> +vulnerabilites in the packages included in the generated images, see:
>> +- https://nightly.buildroot.org/manual.html#_details_about_packages
>> +
>> +In addition, detailed informations for all packages integrated with
>> Buildroot
>> +are updated daily on the following public web pages:
>> +- https://security.buildroot.org/
>> +- https://autobuild.buildroot.org/stats/
>> +
>> +## Reporting a Vulnerability
>> +
>> +To report a security vulnerability found in the Buildroot build
>> system itself,
>> +please send an email to
>> [security at buildroot.org](mailto:security at buildroot.org).
>> +
>> +This is a private mailing list contacting the Buildroot maintainers
>> only.
>> +
>> +## Vulnerabilities in packages
>> +
>> +Buildroot is a build system that cross-compiles packages from
>> third-party
>> +sources. The Buildroot developers are not responsible for security
>> +vulnerabilities in these packages. Such vulnerabilities should be
>> reported
>> +directly to the upstream project that maintains the affected package.
>> +
>> +When vulnerabilities are fixed upstream, send a patch to update the
>> affected
>> +packages in Buildroot.
>
> I'm not sure what the ideal phrasing is, but I think it is important to
> be clear here that bugfix patches (especially but not exclusively
> security ones) may be merged independently of upstream releases, though
> they should be sent upstream first. People following this ML probably
> know that, but for someone new it may be an important hint.
While I agree with your comment, I still applied this patch as is.
I think this SECURITY.md file (which is here for "administrative"
reasons) should remain
as short as possible, and all those security/bugfix patches details
should preferably go
in the manual:
https://nightly.buildroot.org/manual.html#_contributing_to_buildroot
https://nightly.buildroot.org/manual.html#RELENG
Those sections needs few refreshes, to include the new LTS model, and
the details to
manage those patches to help LTS maintainers. When those sections will
be up to date,
we will simply add a link here pointing to those sections.
> Best regards,
> Fiona
Best regards,
Julien.
More information about the buildroot
mailing list