Re: [PATCH 3/3] Documentation: clarify the mandatory and desirable info for security reports

[Willy Tarreau]

On Thu, Apr 02, 2026 at 12:17:38PM -0700, Randy Dunlap wrote:
> 
> 
> On 4/2/26 12:03 PM, Willy Tarreau wrote:
> > Hi Randy,
> > 
> > On Thu, Apr 02, 2026 at 11:50:00AM -0700, Randy Dunlap wrote:
> >>
> >> On 4/2/26 11:26 AM, Willy Tarreau wrote:
> >>> A significant part of the effort of the security team consists in begging
> >>> reporters for patch proposals, or asking them to provide them in regular
> >>> format, and most of the time they're willing to provide this, they just
> >>> didn't know that it would help. So let's add a section detailing the
> >>> required and desirable contents in a security report to help reporters
> >>> write more actionable reports which do not require round trips.
> >>>
> >>> Cc: Eric Dumazet <edumazet@xxxxxxxxxx>
> >>> Cc: Greg KH <greg@xxxxxxxxx>
> >>> Signed-off-by: Willy Tarreau <w@xxxxxx>
> >>> ---
> >>>  Documentation/process/security-bugs.rst | 66 ++++++++++++++++++++++---
> >>>  1 file changed, 59 insertions(+), 7 deletions(-)
> >>>
> >>> diff --git a/Documentation/process/security-bugs.rst b/Documentation/process/security-bugs.rst
> >>> index 6937fa9fba5a..b243ac24eb12 100644
> >>> --- a/Documentation/process/security-bugs.rst
> >>> +++ b/Documentation/process/security-bugs.rst
> >>> @@ -7,6 +7,65 @@ Linux kernel developers take security very seriously.  As such, we'd
> >>>  like to know when a security bug is found so that it can be fixed and
> >>>  disclosed as quickly as possible.
> >>>  
> >>> +Preparing your report
> >>> +---------------------
> >>> +
> >>> +Like with any bug report, a security bug report requires a lot of analysis work
> >>> +from the developers, so the more information you can share about the issue, the
> >>> +better.  Please review the procedure outlined in
> >>> +'Documentation/admin-guide/reporting-issues.rst' if you are unclear about what
> >>
> >> Drop the single quote marks.
> > 
> > I just moved this part as-is, and I've been extremely hesitant to change
> > formatting as I can't easily check the validity of the output.
> > 
> >>> +information is helpful.  The following information are absolutely necessary in
> >>> +**any** security bug report:
> >>> +
> >>> +  * **affected kernel version range**: with no version indication, your report
> >>> +    will not be processed.  A significant part of reports are for bugs that
> >>> +    have already been fixed, so it is extremely important that vulnerabilities
> >>> +    are verified on recent versions (development tree or latest stable
> >>> +    version), at least by verifying that the code has not changed since the
> >>> +    version where it was detected.
> >>> +
> >>> +  * **description of the problem**: a detailed description of the problem, with
> >>> +    traces showing its manifestation, and why you consider that the observed
> >>> +    behavior as a problem in the kernel, is necessary.
> >>> +
> >>> +  * **reproducer**: developers will need to be able to reproduce the problem to
> >>> +    consider a fix as effective.  This includes both a way to trigger the issue
> >>> +    and a way to confirm it happens.  A reproducer with low complexity
> >>> +    dependencies will be needed (source code, shell script, sequence of
> >>> +    instructions, file-system image etc).  Binary-only executables are not
> >>> +    accepted.  Working exploits are extremely helpful and will not be released
> >>> +    without consent from the reporter, unless they are already public.  By
> >>> +    definition if an issue cannot be reproduced, it is not exploitable, thus it
> >>> +    is not a security bug.
> >>> +
> >>> +  * **conditions**: if the bug depends on certain configuration options,
> >>> +    sysctls, permissions, timing, code modifications etc, these should be
> >>> +    indicated.
> >>> +
> >>> +In addition, the following information are highly desirable:
> >>> +
> >>> +  * **suspected location of the bug**: the file names and functions where the
> >>> +    bug is suspected to be present are very important, at least to help forward
> >>> +    the report to the appropriate maintainers.  When not possible (for example,
> >>> +    "system freezes each time I run this command"), the security team will help
> >>> +    identify the source of the bug.
> >>> +
> >>> +  * **a proposed fix**: bug reporters who have analyzed the cause of a bug in
> >>> +    the source code almost always have an accurate idea on how to fix it,
> >>> +    because they spent a long time studying it and its implications.  Proposing
> >>> +    a tested fix will save maintainers a lot of time, even if the fix ends up
> >>> +    not being the right one, because it helps understand the bug.  When
> >>> +    proposing a tested fix, please always format it in a way that can be
> >>> +    immediately merged (see :doc:`regular patch submission
> >>> +    <../process/submitting-patches>`).  This will save some back-and-forth
> >>
> >> Hm, I don't see anything in submitting-patches.rst called "regular patch submission".
> >> Is it in some other patch?
> > 
> > Not sure what you mean. Is this supposed to be a sub-section and not just a
> > title ? On https://www.kernel.org/doc/html/latest/process/security-bugs.html
> > it appears as the title. This one was already present in the same document
> > and was moved there without a change.
> 
> I see. Sorry for the noise.

No worries, I appreciate your help, the format is not trivial and mistakes
are easy!

Thanks,
Willy