Bug and vulnerability policies FAQ

Overview of the policies:

Bug triage - severity levels:

  • Critical severity bugs make a feature unusable, cause a major data loss or hardware breakage. There is no workaround, or a complex one
  • Normal severity bugs make a feature hard to use, but there is a workaround (including another feature to use instead of the desired one).
  • Minor severity bugs cause a loss of a non-critical feature (like missing or incorrect logging)
  • Low severity bugs cause minor inconveniences (like a typo in the user interface or in the documentation)

Vulnerability process specifics:

  • Security Response Team – handling reports and the bugtracker
  • Security bugs visible to selected team members only
  • Possible early release to impacted parties (5 to 30 days before security advisory) under embargo
  • Fix to be available in 90 days (including embargoes)
  • Security fixes developed in private forks
1 Like

Question: Where are complete policies available?

Answer: You can find the policies in our documentation: the current bug policy and the current vulnerability policy.

Question: Classifying a regular bug as a security one requires knowledge. Will SRT scan regular bugs too?

Answer: Yes, SRT will look into the regular bugs in parallel. Every project member can also contact SRT if they suspect that there might be a security issue, for example in a lower severity issue they are fixing as a regular bug; or in the code they’re developing.

Question: Will we have a common template for a project including SECURITY.md, a license file and more?

Answer: Good idea, a requirement will be filled in.

Question: For how long we support our packages, including versions no longer supported by the upstream?

Answer: stay tuned, a separate document will be available.

Question: do you have more readings about the reasons behind the bug and vulnerabilities policies?

Answer: Sure, please check this post for more about security policies in different Open Source projects. The write-up about the requirements of the vulnerability process is also available, and a similar one for the bug process.

You may also refer to the Yocto Project documentation on stable releases and LTS.