On Tue, Jul 14, 2026 at 12:46:41PM +0200, Spuntik wrote:
> >From 9b140a7e28c8480ab51bc5441c4d40fa5e5a4e90 Mon Sep 17 00:00:00 2001
> From: spuntik1205 <[email protected]>
> Date: Tue, 14 Jul 2026 12:22:32 +0200
> Subject: [PATCH] Add SECURITY.md to redirect GitHub users to official
> security channels
> 
> GitHub natively supports a `SECURITY.md` file in the root of the
> repository. When this file is present, GitHub automatically
> creates a "Security" tab for the repo and displays a prominent link to
> this policy whenever a user attempts to open a new issue.
> 
> Since the Linux kernel mirror on GitHub receives a lot of traffic from
> users who may not be familiar with the kernel's
> mailing-list workflow, they might incorrectly attempt to report
> security vulnerabilities through public GitHub channels.
> 
> This PR adds a standard `SECURITY.md` file that:
> 1. Explicitly asks users not to report vulnerabilities on GitHub.

Do people actually do this?  If so, that should be disabled as no one
looks at it.

> 2. Directs them to the official `[email protected]` mailing list.

No, you need to read the security documentation which tells you how to
do this.

> 3. Links directly to the official `security-bugs.rst` documentation on
> kernel.org for proper reporting procedures.

That's better, but really, step 2 is not correct.

> While I understand the kernel does not use GitHub for development,
> adding this file will help intercept confused GitHub users
> and redirect them to the proper kernel security workflows.
> ---

No signed-off-by or real authorship information?

And no, we don't add files for github only, sorry.

>  SECURITY.md | 19 +++++++++++++++++++
>  1 file changed, 19 insertions(+)
>  create mode 100644 SECURITY.md
> 
> diff --git a/SECURITY.md b/SECURITY.md
> new file mode 100644
> index 000000000000..80b0b46279f6
> --- /dev/null
> +++ b/SECURITY.md
> @@ -0,0 +1,19 @@
> +# Security Policy
> +
> +## Supported Versions
> +
> +The Linux kernel maintains several active branches. The mainline
> kernel, stable kernels, and longterm maintenance (LTS) kernels are
> currently supported with security updates.
> +
> +Please refer to the [active kernel
> releases](https://www.kernel.org/category/releases.html) on kernel.org
> to see which versions are currently receiving security updates.
> +
> +## Reporting a Vulnerability
> +
> +**Please do not report security vulnerabilities through public GitHub 
> issues.**
> +
> +If you believe you have found a security vulnerability in the Linux
> kernel, please report it to the Linux kernel security team.
> +
> +1. **Email the Security Team:** Send an email to `[email protected]`.
> +2. **Read the Documentation:** For detailed instructions on what to
> include in your report, acceptable disclosure timelines, and how the
> kernel team handles security bugs, please read the official [Security
> Bugs 
> Documentation](https://www.kernel.org/doc/html/latest/admin-guide/security-bugs.html).
> +3. **Hardware Vulnerabilities:** If you are reporting a hardware
> vulnerability that affects the kernel, please refer to the specific
> guidelines for [Hardware
> vulnerabilities](https://www.kernel.org/doc/html/latest/process/embargoed-hardware-issues.html)
> and contact the hardware security team at
> `[email protected]` if appropriate.
> +
> +The security team will review your report and work with you and the
> relevant subsystem maintainers to develop and release a fix. You can
> typically expect an initial response within a few days.

Really?  We don't provide any QoS guarantees :)

thanks,

greg k-h

Reply via email to