Provide more information about how to interact with the linux-distros mailing list for disclosing security bugs. First, clarify that the reporter must read and accept the linux-distros policies prior to sending a report. Second, clarify that the reported must provide a tentative public disclosure date and time in his first contact with linux-distros. Suggested-by: Solar Designer <solar@xxxxxxxxxxxx> Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx> --- Documentation/admin-guide/security-bugs.rst | 21 +++++++++++++-------- 1 file changed, 13 insertions(+), 8 deletions(-) diff --git a/Documentation/admin-guide/security-bugs.rst b/Documentation/admin-guide/security-bugs.rst index dcd6c93c7aac..c62faced9256 100644 --- a/Documentation/admin-guide/security-bugs.rst +++ b/Documentation/admin-guide/security-bugs.rst @@ -61,14 +61,19 @@ Coordination Fixes for sensitive bugs, such as those that might lead to privilege escalations, may need to be coordinated with the private -<linux-distros@xxxxxxxxxxxxxxx> mailing list so that distribution vendors -are well prepared to issue a fixed kernel upon public disclosure of the -upstream fix. Distros will need some time to test the proposed patch and -will generally request at least a few days of embargo, and vendor update -publication prefers to happen Tuesday through Thursday. When appropriate, -the security team can assist with this coordination, or the reporter can -include linux-distros from the start. In this case, remember to prefix -the email Subject line with "[vs]" as described in the linux-distros wiki: +<linux-distros@xxxxxxxxxxxxxxx> mailing list so that distribution vendors are +well prepared to issue a fixed kernel upon public disclosure of the upstream +fix. As a reporter, you must read and accept the list's policy as outlined in +the linux-distros wiki: +<https://oss-security.openwall.org/wiki/mailing-lists/distros#list-policy-and-instructions-for-reporters>. +When you report a bug, you must also provide a tentative disclosure date and +time in your very first message to the list. Distros will need some time to +test the proposed patch so please allow at least a few days of embargo, and +vendor update publication prefers to happen Tuesday through Thursday. When +appropriate, the security team can assist with this coordination, or the +reporter can include linux-distros from the start. In this case, remember to +prefix the email Subject line with "[vs]" as described in the linux-distros +wiki: <http://oss-security.openwall.org/wiki/mailing-lists/distros#how-to-use-the-lists> CVE assignment -- 2.20.1
