>From 9b140a7e28c8480ab51bc5441c4d40fa5e5a4e90 Mon Sep 17 00:00:00 2001 From: spuntik1205 <[email protected]> Date: Tue, 14 Jul 2026 12:22:32 +0200 Subject: [PATCH] Add SECURITY.md to redirect GitHub users to official security channels
GitHub natively supports a `SECURITY.md` file in the root of the repository. When this file is present, GitHub automatically creates a "Security" tab for the repo and displays a prominent link to this policy whenever a user attempts to open a new issue. Since the Linux kernel mirror on GitHub receives a lot of traffic from users who may not be familiar with the kernel's mailing-list workflow, they might incorrectly attempt to report security vulnerabilities through public GitHub channels. This PR adds a standard `SECURITY.md` file that: 1. Explicitly asks users not to report vulnerabilities on GitHub. 2. Directs them to the official `[email protected]` mailing list. 3. Links directly to the official `security-bugs.rst` documentation on kernel.org for proper reporting procedures. While I understand the kernel does not use GitHub for development, adding this file will help intercept confused GitHub users and redirect them to the proper kernel security workflows. --- SECURITY.md | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) create mode 100644 SECURITY.md diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 000000000000..80b0b46279f6 --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,19 @@ +# Security Policy + +## Supported Versions + +The Linux kernel maintains several active branches. The mainline kernel, stable kernels, and longterm maintenance (LTS) kernels are currently supported with security updates. + +Please refer to the [active kernel releases](https://www.kernel.org/category/releases.html) on kernel.org to see which versions are currently receiving security updates. + +## Reporting a Vulnerability + +**Please do not report security vulnerabilities through public GitHub issues.** + +If you believe you have found a security vulnerability in the Linux kernel, please report it to the Linux kernel security team. + +1. **Email the Security Team:** Send an email to `[email protected]`. +2. **Read the Documentation:** For detailed instructions on what to include in your report, acceptable disclosure timelines, and how the kernel team handles security bugs, please read the official [Security Bugs Documentation](https://www.kernel.org/doc/html/latest/admin-guide/security-bugs.html). +3. **Hardware Vulnerabilities:** If you are reporting a hardware vulnerability that affects the kernel, please refer to the specific guidelines for [Hardware vulnerabilities](https://www.kernel.org/doc/html/latest/process/embargoed-hardware-issues.html) and contact the hardware security team at `[email protected]` if appropriate. + +The security team will review your report and work with you and the relevant subsystem maintainers to develop and release a fix. You can typically expect an initial response within a few days. -- 2.55.0

