On Sun, Mar 05, 2023 at 11:00:03PM +0100, Vegard Nossum wrote: > Hi, > > This is v3 of clarifying our documentation for reporting security > issues. > > The current document is not clear enough, in particular the process of > disclosure and requesting CVEs, and what the roles of the different > lists are and how exactly to report to each of them. > > Lots of people have been confused about the 7/14 days of the kernel list > vs. the 7/14 days of the distros list, the fact that these are two > separate lists, etc. Many reporters contact distros first, or submit > their report to both lists at the same time (which has the unfortunate > effect of starting off the disclosure countdown for the distros list > before s@k.o has had a chance to look at the report). I've shared the v2 > document with a couple of people who submitted reports and they said > they found it a lot clearer. > The docs LGTM, thanks! Reviewed-by: Bagas Sanjaya <bagasdotme@xxxxxxxxx> -- An old man doll... just what I always wanted! - Clara
Attachment:
signature.asc
Description: PGP signature
