On Sun, Mar 05, 2023 at 11:00:05PM +0100, Vegard Nossum wrote: > This mostly just clarifies things and moves a few things around in > preparation for the subsequent changes. > > Most notably, pull the "security@xxxxxxxxxx" address up into the first > paragraph as this the most vital piece of information in the whole > document. > > Also fix a few markup issues. When you have "also" in a patch changelog, that usually means this should be a separate patch. Can you just fix up the markup issues first please? Also, a few minor comments below: > > Signed-off-by: Vegard Nossum <vegard.nossum@xxxxxxxxxx> > --- > Documentation/process/security-bugs.rst | 37 ++++++++++++++----------- > 1 file changed, 21 insertions(+), 16 deletions(-) > > diff --git a/Documentation/process/security-bugs.rst b/Documentation/process/security-bugs.rst > index 82e29837d589..f1326d4e9718 100644 > --- a/Documentation/process/security-bugs.rst > +++ b/Documentation/process/security-bugs.rst > @@ -1,36 +1,41 @@ > .. _securitybugs: > > -Security bugs > -============= > +Reporting security bugs > +======================= > > Linux kernel developers take security very seriously. As such, we'd > like to know when a security bug is found so that it can be fixed and > disclosed as quickly as possible. Please report security bugs to the > -Linux kernel security team. > +Linux kernel security team at security@xxxxxxxxxx, henceforth > +"the security list". This is a closed list of trusted developers who > +will help verify the bug report and develop a patch in case none was > +already proposed. > > -Contact > -------- > +While the security list is closed, the security team may bring in extra > +help from the relevant maintainers to understand and fix the security > +vulnerability. > > -The Linux kernel security team can be contacted by email at > -<security@xxxxxxxxxx>. This is a private list of security officers > -who will help verify the bug report and develop and release a fix. > -If you already have a fix, please include it with your report, as > -that can speed up the process considerably. It is possible that the > -security team will bring in extra help from area maintainers to > -understand and fix the security vulnerability. > +Note that the main interest of the kernel security list is in getting > +bugs fixed and getting patches reviewed, tested, and merged; CVE It's not "main interest", it is the "only task" of it. That's all the list does, nothing else. > +assignment, disclosure to distributions, and public disclosure happen on > +different lists with different people. How about this rephrasing: The only tasks of the kernel security list are to triage reported potential security bugs, generate and test a fix, and get the fix merged into Linus's and the stable kernel trees. The security list does not deal with CVE assignment or any sort of disclosure at all. thanks, greg k-h
