SECURITY file
SECURITY.md file
SECURITY.md is a file where security researchers look into where they want to know how to report a potential security issue to a project confidentially. People who report security issues aren't necessarily developers. They might have limited knowledge of how the project functions and what are the customary communication methods.
In addition to the way to contact the project team, it is also frequent to list releases that receive security fixes.
Security researchers prefer confidential reporting and generally avoid posting them publicly -- if they can find a way to report confidentially. This increases the chances of preparing a fix before adversaries exploit the issue.
The file might be straightforward and contain only essential information. Or, it might include links to other security materials, like documentation and policies. It is up to a layer maintainer to decide on the actual content.
Why to have a SECURITY.md?
The first reason to have a SECURITY.md is to offer an easy way for security researchers to contact the project team in case of a potential security vulnerability. The file is the standard way to do it. Many software forges offer special formatting when they detect the file. See, for example, the OE GitHub mirror with the SECURITY.md listed automatically in the 'Security' tab: https://github.com/openembedded/openembedded-core/security
One might argue that Yocto Project layers contain only links to upstream sources, and all security issues should be reported to upstream projects. While it is valid for the first part, layers often include patches or apply configuration options. Such changes might create separate security issues. Finally, a confidential way to contact the project or layer is necessary to synchronize fixes between multiple distributions or downstream projects.
The Yocto Project now strongly recommends all layers to have this file.
Generic SECURITY.md file
The generic SECURITY.md file redirects to the Yocto Project Security Team. Here is an example taken from https://git.openembedded.org/openembedded-core/tree/SECURITY.md :
How to Report a Potential Vulnerability? ======================================== If you would like to report a public issue (for example, one with a released CVE number), please report it using the [https://bugzilla.yoctoproject.org/enter_bug.cgi?product=Security Security Bugzilla] If you are dealing with a not-yet released or urgent issue, please send a message to security AT yoctoproject DOT org, including as many details as possible: the layer or software module affected, the recipe and its version, and any example code, if available. Branches maintained with security fixes --------------------------------------- See [https://wiki.yoctoproject.org/wiki/Stable_Release_and_LTS Stable release and LTS] for detailed info regarding the policies and maintenance of Stable branches. The [https://wiki.yoctoproject.org/wiki/Releases Release page] contains a list of all releases of the Yocto Project. Versions in grey are no longer actively maintained with security patches, but well-tested patches may still be accepted for them for significant issues.
Layer-specific SECURITY.md file
A template asking to contact the maintainer. Adapt to your needs and processes:
How to Report a Potential Vulnerability? ======================================== If you would like to report a public issue (for example, one with a released CVE number), please get in touch with the layer maintainer: jane DOT doe AT example DOT org. Branches maintained with security fixes --------------------------------------- This project follows Yocto Project LTS policy. Please refer to the YP documentation for more details.