Re: [PATCH v3 4/7] Documentation/security-bugs: add linux-distros and oss-security sections

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Sun, Mar 05, 2023 at 11:00:07PM +0100, Vegard Nossum wrote:
> The existing information about CVE assignment requests and coordinated
> disclosure fits much better in these new sections, since that's what these
> lists are for.
> 
> Keep just a reminder in the security list section.
> 
> Signed-off-by: Vegard Nossum <vegard.nossum@xxxxxxxxxx>
> ---
>  Documentation/process/security-bugs.rst | 92 ++++++++++++++++++-------
>  1 file changed, 67 insertions(+), 25 deletions(-)
> 
> diff --git a/Documentation/process/security-bugs.rst b/Documentation/process/security-bugs.rst
> index fb156d146c42..2dd6569a7abb 100644
> --- a/Documentation/process/security-bugs.rst
> +++ b/Documentation/process/security-bugs.rst
> @@ -31,6 +31,10 @@ be released without consent from the reporter unless it has already been
>  made public.  Reporters are encouraged to propose patches, participate in the
>  discussions of a fix, and test patches.
>  
> +The security team does not assign CVEs, nor does it require them for reports
> +or fixes.  CVEs may be requested when the issue is reported to the
> +linux-distros list.

Note, this kind of implies that the security team would be the one whom
you request a CVE from.  We can't do that, nor do we ever even want to
deal with that for obvious reasons.  Also, who is to say that CVEs are
even anything anyone should be messing with in the first place given how
much they are abused and irrelevant most of the time?

So I would just keep a big "The kernel developer community does not deal
with CVEs at all.  If you want one for your résumé/CV, please contact
MITRE directly at your own risk." type of warning in the document and
leave it at that.

thanks,

greg k-h



[Index of Archives]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Linux FS]     [Yosemite Forum]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]     [Linux Resources]

  Powered by Linux