1
0
mirror of https://git.yoctoproject.org/poky synced 2026-07-15 15:37:03 +00:00

security-team: Tidy and update section on security team operations

The section "What Yocto Security Team does when it receives a security
vulnerability" duplicated information already found in the previous
section "Security Team Operations", so merge the sections and tidy up
the flow of the text.

While we're editing this, Mitre is now just one of the places you can go
to get a CVE assigned, many other CVE Numbering Authorities (CNAs) are
available. They also now have a web form for contact and requesting CVE
assignment so let's link directly to that.

Also drop "If an upstream project does not respond quickly" down a
heading level.

(From yocto-docs rev: ca6a21c7cf652fabd0d48fda735a9074f9fe8af7)

Signed-off-by: Paul Barker <paul@pbarker.dev>
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
(cherry picked from commit 8efdc7df5c75e92449e74e4d40b763ee1df07adc)
Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
Signed-off-by: Paul Barker <paul@pbarker.dev>
This commit is contained in:
Paul Barker
2026-06-03 20:45:18 +01:00
parent 921c3654d8
commit 89274ac93d
@@ -56,31 +56,21 @@ original reporter in the loop. There is also sometimes some coordination for
handling patches, backporting patches etc, or just understanding the problem
or what caused it.
When the fix is publicly available, the YP security team member or the
package maintainer sends patches against the YP code base, following usual
procedures, including public code review.
What Yocto Security Team does when it receives a security vulnerability
=======================================================================
The YP Security Team team performs a quick analysis and would usually report
the flaw to the upstream project. Normally the upstream project analyzes the
problem. If they deem it a real security problem in their software, they
develop and release a fix following their own security policy. They may want
to include the original reporter in the loop. There is also sometimes some
coordination for handling patches, backporting patches etc, or just
understanding the problem or what caused it.
The security policy of the upstream project might include a notification to
Linux distributions or other important downstream projects in advance to
discuss coordinated disclosure. These mailing lists are normally non-public.
When the upstream project releases a version with the fix, they are responsible
for contacting `Mitre <https://www.cve.org/>`__ to get a CVE number assigned and
the CVE record published.
for contacting an appropriate CVE Numbering Authority (CNA), such as `Mitre
<https://cveform.mitre.org/>`__, to get a CVE number assigned and the CVE
record published.
When the fix is publicly available, the YP security team member or the
package maintainer sends patches against the YP code base, following usual
procedures, including public code review.
If an upstream project does not respond quickly
===============================================
-----------------------------------------------
If an upstream project does not fix the problem in a reasonable time,
the Yocto's Security Team will contact other interested parties (usually