Vegard Nossum <vegard.nossum@xxxxxxxxxx> writes: > The current instructions for reporting security vulnerabilities in the > kernel are not clear enough, in particular the process of disclosure > and requesting CVEs, and what the roles of the different lists are and > how exactly to report to each of them. > > Let's give this document an overhaul. Goals are stated as a comment at > the top of the document itself (these will not appear in the rendered > document). ...but they do appear in the plain-text document, which must also be readable. Thus... [...] > diff --git a/Documentation/admin-guide/security-bugs.rst b/Documentation/admin-guide/security-bugs.rst > index 82e29837d5898..5f37b3f1e77dc 100644 > --- a/Documentation/admin-guide/security-bugs.rst > +++ b/Documentation/admin-guide/security-bugs.rst > @@ -1,96 +1,175 @@ > +.. > + If you modify this document, please consider the following: > + > + 1) The most important information should be at the top (preferably in > + the opening paragraph). This means contacting <security@xxxxxxxxxx>; > + if somebody doesn't read any further than that, at least the security > + team will have the report. I submit that you are breaking your own rule by putting this stuff at the top of the document. I'm not really convinced that you need it at all - we don't normally include these sort of instructions - but if it has to be here I would put it at the end. [Haven't had a chance to look at the real material yet] Thanks, jon
