>From 9b140a7e28c8480ab51bc5441c4d40fa5e5a4e90 Mon Sep 17 00:00:00 2001
From: spuntik1205 <[email protected]>
Date: Tue, 14 Jul 2026 12:22:32 +0200
Subject: [PATCH] Add SECURITY.md to redirect GitHub users to official
security channels

GitHub natively supports a `SECURITY.md` file in the root of the
repository. When this file is present, GitHub automatically
creates a "Security" tab for the repo and displays a prominent link to
this policy whenever a user attempts to open a new issue.

Since the Linux kernel mirror on GitHub receives a lot of traffic from
users who may not be familiar with the kernel's
mailing-list workflow, they might incorrectly attempt to report
security vulnerabilities through public GitHub channels.

This PR adds a standard `SECURITY.md` file that:
1. Explicitly asks users not to report vulnerabilities on GitHub.
2. Directs them to the official `[email protected]` mailing list.
3. Links directly to the official `security-bugs.rst` documentation on
kernel.org for proper reporting procedures.

While I understand the kernel does not use GitHub for development,
adding this file will help intercept confused GitHub users
and redirect them to the proper kernel security workflows.
---
 SECURITY.md | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)
 create mode 100644 SECURITY.md

diff --git a/SECURITY.md b/SECURITY.md
new file mode 100644
index 000000000000..80b0b46279f6
--- /dev/null
+++ b/SECURITY.md
@@ -0,0 +1,19 @@
+# Security Policy
+
+## Supported Versions
+
+The Linux kernel maintains several active branches. The mainline
kernel, stable kernels, and longterm maintenance (LTS) kernels are
currently supported with security updates.
+
+Please refer to the [active kernel
releases](https://www.kernel.org/category/releases.html) on kernel.org
to see which versions are currently receiving security updates.
+
+## Reporting a Vulnerability
+
+**Please do not report security vulnerabilities through public GitHub issues.**
+
+If you believe you have found a security vulnerability in the Linux
kernel, please report it to the Linux kernel security team.
+
+1. **Email the Security Team:** Send an email to `[email protected]`.
+2. **Read the Documentation:** For detailed instructions on what to
include in your report, acceptable disclosure timelines, and how the
kernel team handles security bugs, please read the official [Security
Bugs 
Documentation](https://www.kernel.org/doc/html/latest/admin-guide/security-bugs.html).
+3. **Hardware Vulnerabilities:** If you are reporting a hardware
vulnerability that affects the kernel, please refer to the specific
guidelines for [Hardware
vulnerabilities](https://www.kernel.org/doc/html/latest/process/embargoed-hardware-issues.html)
and contact the hardware security team at
`[email protected]` if appropriate.
+
+The security team will review your report and work with you and the
relevant subsystem maintainers to develop and release a fix. You can
typically expect an initial response within a few days.
-- 
2.55.0

Reply via email to