Arend van Spriel <arend.vanspriel@xxxxxxxxxxxx> writes: > Due to recent events we were asked about some vulnerability fixes for > brcmfmac. We already fixed a couple of things without referring to a > so-called CVE-ID, which is what people are asking for. Do we have a > upstream policy on that? I could not really find anything in the > Documentation folder (but I may have overlooked it). Might be worth > mentioning in the commit message like with the coverity ids. Johannes already answered, but I'll just add that this is all I know about security patches: If you have a patch that fixes an exploitable security bug, send that patch to security@xxxxxxxxxx. For severe bugs, a short embargo may be considered to allow distributors to get the patch out to users; in such cases, obviously, the patch should not be sent to any public lists. https://www.kernel.org/doc/html/latest/process/submitting-patches.html I don't know if you should follow that in this case or not, just wanted to point out this. -- Kalle Valo
