Hi, This is v3 of clarifying our documentation for reporting security issues. The current document is not clear enough, in particular the process of disclosure and requesting CVEs, and what the roles of the different lists are and how exactly to report to each of them. Lots of people have been confused about the 7/14 days of the kernel list vs. the 7/14 days of the distros list, the fact that these are two separate lists, etc. Many reporters contact distros first, or submit their report to both lists at the same time (which has the unfortunate effect of starting off the disclosure countdown for the distros list before s@k.o has had a chance to look at the report). I've shared the v2 document with a couple of people who submitted reports and they said they found it a lot clearer. Probably the easiest way to see the end result of this series is to view the rendered HTML which I've put here: https://vegard.github.io/security-v3/Documentation/output/process/security-bugs.html oss-security discussion prompting the change: https://www.openwall.com/lists/oss-security/2022/05/15/1 v1 submission: https://lore.kernel.org/all/20220531230309.9290-1-vegard.nossum@xxxxxxxxxx/ v2 submission: https://lore.kernel.org/all/20220606194850.26122-1-vegard.nossum@xxxxxxxxxx/ Changes: v2: address feedback from Willy Tarreau and Jonathan Corbet v3: move from admin-guide/ to process/; address feedback from Will Deacon (including reverting back to some of the original phrasing); split into multiple patches Vegard Vegard Nossum (7): Documentation/security-bugs: move from admin-guide/ to process/ Documentation/security-bugs: misc. improvements Documentation/security-bugs: improve security list section Documentation/security-bugs: add linux-distros and oss-security sections Documentation/security-bugs: add table of lists Documentation/security-bugs: clarify hardware vs. software vulnerabilities Documentation/security-bugs: document document design Documentation/admin-guide/index.rst | 1 - .../admin-guide/reporting-issues.rst | 4 +- Documentation/admin-guide/security-bugs.rst | 96 ---------- Documentation/process/howto.rst | 2 +- Documentation/process/index.rst | 9 +- .../process/researcher-guidelines.rst | 2 +- Documentation/process/security-bugs.rst | 181 ++++++++++++++++++ Documentation/process/stable-kernel-rules.rst | 2 +- Documentation/process/submitting-patches.rst | 2 +- .../it_IT/admin-guide/security-bugs.rst | 2 +- .../it_IT/process/submitting-patches.rst | 2 +- Documentation/translations/ja_JP/howto.rst | 2 +- Documentation/translations/ko_KR/howto.rst | 2 +- Documentation/translations/sp_SP/howto.rst | 2 +- .../sp_SP/process/submitting-patches.rst | 2 +- .../zh_CN/admin-guide/security-bugs.rst | 2 +- .../translations/zh_CN/process/howto.rst | 2 +- .../zh_TW/admin-guide/security-bugs.rst | 2 +- .../translations/zh_TW/process/howto.rst | 2 +- MAINTAINERS | 4 +- 20 files changed, 207 insertions(+), 116 deletions(-) delete mode 100644 Documentation/admin-guide/security-bugs.rst create mode 100644 Documentation/process/security-bugs.rst -- 2.40.0.rc1.2.gd15644fe02
