Document describes the process of handling security bugs but does not mention any criteria what is a "security bug". Unlike submitting-patches.rst which explicitly says - publicly exploitable bug. Many NULL pointer exceptions, off-by-one errors or overflows tend to look like security bug, so there might be a temptation to discuss them behind security list which is not an open list. Such discussion limits the amount of testing and independent reviewing. Sacrificing open discussion is understandable in the case of real security issues but not for regular bugs. These should be discussed publicly. At the end, "security problems are just bugs". Cc: Greg KH <gregkh@xxxxxxxxxxxxxxxxxxx> Cc: Marek Szyprowski <m.szyprowski@xxxxxxxxxxx> Cc: Linus Torvalds <torvalds@xxxxxxxxxxxxxxxxxxxx> Cc: Kees Cook <keescook@xxxxxxxxxxxx> Signed-off-by: Krzysztof Kozlowski <krzk@xxxxxxxxxx> --- Follow up to: https://lore.kernel.org/linux-usb/1425ab4f-ef7e-97d9-238f-0328ab51eb35@xxxxxxxxxxx/ --- Documentation/admin-guide/security-bugs.rst | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/Documentation/admin-guide/security-bugs.rst b/Documentation/admin-guide/security-bugs.rst index c32eb786201c..7ebddbd4bbcd 100644 --- a/Documentation/admin-guide/security-bugs.rst +++ b/Documentation/admin-guide/security-bugs.rst @@ -78,6 +78,12 @@ include linux-distros from the start. In this case, remember to prefix the email Subject line with "[vs]" as described in the linux-distros wiki: <http://oss-security.openwall.org/wiki/mailing-lists/distros#how-to-use-the-lists> +Fixes for non-exploitable bugs which do not pose a real security risk, should +be disclosed in a regular way of submitting patches to Linux kernel (see +:ref:`Documentation/process/submitting-patches.rst <submitting-patches>`). +Just because patch fixes some off-by-one or NULL pointer exception, does not +classify it as a security bug which should be discussed in closed channels. + CVE assignment -------------- -- 2.17.1
