On Mon, 6 Jun 2022, Vegard Nossum wrote: > The current instructions for reporting security vulnerabilities in the > kernel are not clear enough, in particular the process of disclosure > and requesting CVEs, and what the roles of the different lists are and > how exactly to report to each of them. > > Let's give this document an overhaul. Goals are stated as a comment at > the bottom of the document; these will not appear in the rendered HTML > document. > > v2: address feedback from Willy Tarreau and Jonathan Corbet > > Link: https://seclists.org/oss-sec/2022/q2/133 > Cc: Amit Shah <aams@xxxxxxxxxx> > Cc: Dave Hansen <dave.hansen@xxxxxxxxxxxxxxx> > Cc: David Woodhouse <dwmw@xxxxxxxxxxxx> > Cc: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx> > Cc: Gustavo A. R. Silva <gustavoars@xxxxxxxxxx> > Cc: Jiri Kosina <jkosina@xxxxxxx> > Cc: Jonathan Corbet <corbet@xxxxxxx> > Cc: Kees Cook <keescook@xxxxxxxxxxxx> > Cc: Laura Abbott <labbott@xxxxxxxxxx> > Cc: Linus Torvalds <torvalds@xxxxxxxxxxxxxxxxxxxx> > Cc: Mauro Carvalho Chehab <mchehab@xxxxxxxxxx> > Cc: Paolo Bonzini <pbonzini@xxxxxxxxxx> > Cc: Peter Zijlstra <peterz@xxxxxxxxxxxxx> > Cc: Solar Designer <solar@xxxxxxxxxxxx> > Cc: Thomas Gleixner <tglx@xxxxxxxxxxxxx> > Cc: Thorsten Leemhuis <linux@xxxxxxxxxxxxx> > Cc: Tyler Hicks <tyhicks@xxxxxxxxxxxxxxxxxxx> > Cc: Will Deacon <will@xxxxxxxxxx> > Cc: Willy Tarreau <w@xxxxxx> > Signed-off-by: Vegard Nossum <vegard.nossum@xxxxxxxxxx> > --- > Documentation/admin-guide/security-bugs.rst | 252 +++++++++++++------- > 1 file changed, 167 insertions(+), 85 deletions(-) > > v1 thread: > https://lore.kernel.org/all/20220531230309.9290-1-vegard.nossum@xxxxxxxxxx/T/#u > > Updated rendered HTML: > https://vegard.github.io/security/Documentation/output/admin-guide/security-bugs-v2.html > > diff --git a/Documentation/admin-guide/security-bugs.rst b/Documentation/admin-guide/security-bugs.rst > index 82e29837d5898..c63eeb1e89ffd 100644 > --- a/Documentation/admin-guide/security-bugs.rst > +++ b/Documentation/admin-guide/security-bugs.rst Thanks for investing time into fixing this aged document. Two rather minor things come to my mind, but as you are touching that document anyway ... - what sense does it make to have embargoed-hardware-issues.rst and security-bugs.rst live in different Documentation/ subdirectories (admin-guide/ vs process/)? It'd seem to make sense to me to have them in one common place? - would it make sense to briefly reference embargoed-hardware-issues.rst somewhere in this text, to make the distinction as obvious as possible? It's referenced the other way around. Thanks, -- Jiri Kosina SUSE Labs