On Mon, Mar 06, 2023 at 07:02:14AM +0100, Greg Kroah-Hartman wrote: > Secondly, and the bigger one, I think we should just drop all of the > references to linux-distros and oss-security entirely, as those are > groups that are outside of our control and interaction and have > different rules that we might not agree with. They also just a tiny > subset of Linux users and companies and as such do not really reflect > the majority of where Linux is used anymore. I'm wondering if instead they shouldn't just be mentioned as a warning about the risk of leak or forced disclosure. We know that reporters may find the address from various places, including various sites that may enumerate the long list of potential contacts, and not just this doc. It can be useful to have just a paragraph warning about the fact that oss-sec is public and that linux-distros has this strict disclosure policy without consideration for the availability of a fix, in order to warn them to only contact such lists once the fix is available and tested if they want to, but never before. Anything we can do to help serious reporters (i.e. those who are really embarrassed with a bug, not those who seek a Curiculum Vitae Enhancer) should be done. It's always a stressful moment to report a security issue on a project, you always fear that you might be doing an irreversible mistake, so whatever info we can pass about the risks (or lack of) should be welcome I guess. Willy
