On Sun, Mar 05, 2023 at 11:00:07PM +0100, Vegard Nossum wrote: > The existing information about CVE assignment requests and coordinated > disclosure fits much better in these new sections, since that's what these > lists are for. > > Keep just a reminder in the security list section. > > Signed-off-by: Vegard Nossum <vegard.nossum@xxxxxxxxxx> > --- > Documentation/process/security-bugs.rst | 92 ++++++++++++++++++------- > 1 file changed, 67 insertions(+), 25 deletions(-) > > diff --git a/Documentation/process/security-bugs.rst b/Documentation/process/security-bugs.rst > index fb156d146c42..2dd6569a7abb 100644 > --- a/Documentation/process/security-bugs.rst > +++ b/Documentation/process/security-bugs.rst > @@ -31,6 +31,10 @@ be released without consent from the reporter unless it has already been > made public. Reporters are encouraged to propose patches, participate in the > discussions of a fix, and test patches. > > +The security team does not assign CVEs, nor does it require them for reports > +or fixes. CVEs may be requested when the issue is reported to the > +linux-distros list. Note, this kind of implies that the security team would be the one whom you request a CVE from. We can't do that, nor do we ever even want to deal with that for obvious reasons. Also, who is to say that CVEs are even anything anyone should be messing with in the first place given how much they are abused and irrelevant most of the time? So I would just keep a big "The kernel developer community does not deal with CVEs at all. If you want one for your résumé/CV, please contact MITRE directly at your own risk." type of warning in the document and leave it at that. thanks, greg k-h