From 89274ac93d63952b2c93be6b1394bb1c55009da5 Mon Sep 17 00:00:00 2001 From: Paul Barker Date: Wed, 3 Jun 2026 20:45:18 +0100 Subject: [PATCH] security-team: Tidy and update section on security team operations The section "What Yocto Security Team does when it receives a security vulnerability" duplicated information already found in the previous section "Security Team Operations", so merge the sections and tidy up the flow of the text. While we're editing this, Mitre is now just one of the places you can go to get a CVE assigned, many other CVE Numbering Authorities (CNAs) are available. They also now have a web form for contact and requesting CVE assignment so let's link directly to that. Also drop "If an upstream project does not respond quickly" down a heading level. (From yocto-docs rev: ca6a21c7cf652fabd0d48fda735a9074f9fe8af7) Signed-off-by: Paul Barker Signed-off-by: Antonin Godard (cherry picked from commit 8efdc7df5c75e92449e74e4d40b763ee1df07adc) Signed-off-by: Antonin Godard Signed-off-by: Paul Barker --- .../security-reference/security-team.rst | 26 ++++++------------- 1 file changed, 8 insertions(+), 18 deletions(-) diff --git a/documentation/security-reference/security-team.rst b/documentation/security-reference/security-team.rst index 7ec1dda02e..c83ada17eb 100644 --- a/documentation/security-reference/security-team.rst +++ b/documentation/security-reference/security-team.rst @@ -56,31 +56,21 @@ original reporter in the loop. There is also sometimes some coordination for handling patches, backporting patches etc, or just understanding the problem or what caused it. -When the fix is publicly available, the YP security team member or the -package maintainer sends patches against the YP code base, following usual -procedures, including public code review. - -What Yocto Security Team does when it receives a security vulnerability -======================================================================= - -The YP Security Team team performs a quick analysis and would usually report -the flaw to the upstream project. Normally the upstream project analyzes the -problem. If they deem it a real security problem in their software, they -develop and release a fix following their own security policy. They may want -to include the original reporter in the loop. There is also sometimes some -coordination for handling patches, backporting patches etc, or just -understanding the problem or what caused it. - The security policy of the upstream project might include a notification to Linux distributions or other important downstream projects in advance to discuss coordinated disclosure. These mailing lists are normally non-public. When the upstream project releases a version with the fix, they are responsible -for contacting `Mitre `__ to get a CVE number assigned and -the CVE record published. +for contacting an appropriate CVE Numbering Authority (CNA), such as `Mitre +`__, to get a CVE number assigned and the CVE +record published. + +When the fix is publicly available, the YP security team member or the +package maintainer sends patches against the YP code base, following usual +procedures, including public code review. If an upstream project does not respond quickly -=============================================== +----------------------------------------------- If an upstream project does not fix the problem in a reasonable time, the Yocto's Security Team will contact other interested parties (usually