Re: [PATCH v3 3/3] Documentation: security-bugs: clarify requirements for AI-assisted reports

[Willy Tarreau]

On Wed, May 13, 2026 at 03:02:08PM -0600, Jonathan Corbet wrote:
> Jonathan Corbet <corbet@xxxxxxx> writes:
> 
> > Willy Tarreau <w@xxxxxx> writes:
> >
> >> On Wed, May 13, 2026 at 12:30:10PM +0200, Greg KH wrote:
> >>> > One nit:
> >>> > 
> >>> > > +  * **Impact Evaluation**: Many AI-generated reports lack an understanding of
> >>> > > +    the kernel's threat model and go to great lengths inventing theoretical
> >>> > > +    consequences.
> >>> > 
> >>> > If only we had a shiny new document describing that threat model that we
> >>> > could reference here... :)
> >>> 
> >>> Ah yes, a link to that would make things better, but don't we have that
> >>> elsewhere in this series?
> >>
> >> It's in the same patch, I think Jon was sarcastic here. I thought I had
> >> addressed that one but apparently I was wrong :-/
> >
> > I'm just saying that this particular text should link to that document,
> > don't make readers go searching for it.  I can certainly add a patch
> > doing that if you like.
> 
> I was thinking something like this.
> jon

Indeed, looks good like this as it won't hide the file name from the
link. In case you'd want it:

  Acked-by: Willy Tarreau <w@xxxxxx>

Thank you! 
Willy

> >From 3f02a3c190bab6b54e2a250ead0c7408af1a3c51 Mon Sep 17 00:00:00 2001
> From: Jonathan Corbet <corbet@xxxxxxx>
> Date: Wed, 13 May 2026 14:51:29 -0600
> Subject: [PATCH 1/2] docs: security-bugs: add a link to the threat-model
>  documentation
> 
> Rather than make readers search for this document, just a link to it where
> it is referenced.
> 
> (While I was at it, I removed the unused and unneeded _threatmodel label
> from the top of threat-model.rst).
> 
> Signed-off-by: Jonathan Corbet <corbet@xxxxxxx>
> ---
>  Documentation/process/security-bugs.rst | 13 +++++++------
>  Documentation/process/threat-model.rst  |  2 --
>  2 files changed, 7 insertions(+), 8 deletions(-)
> 
> diff --git a/Documentation/process/security-bugs.rst b/Documentation/process/security-bugs.rst
> index f85c65f31f12f..3c51ddde31dd9 100644
> --- a/Documentation/process/security-bugs.rst
> +++ b/Documentation/process/security-bugs.rst
> @@ -191,12 +191,13 @@ handle:
>      Please **always convert your report to plain text** without any formatting
>      decorations before sending it.
>  
> -  * **Impact Evaluation**: Many AI-generated reports lack an understanding of
> -    the kernel's threat model and go to great lengths inventing theoretical
> -    consequences. This adds noise and complicates triage. Please stick to
> -    verifiable facts (e.g., "this bug permits any user to gain CAP_NET_ADMIN")
> -    without enumerating speculative implications. Have your tool read this
> -    documentation as part of the evaluation process.
> +  * **Impact Evaluation**: Many AI-generated reports lack an understanding
> +    of the kernel's threat model (see Documentation/process/threat-model.rst)
> +    and go to great lengths inventing theoretical consequences. This adds
> +    noise and complicates triage. Please stick to verifiable facts (e.g.,
> +    "this bug permits any user to gain CAP_NET_ADMIN") without enumerating
> +    speculative implications. Have your tool read this documentation as
> +    part of the evaluation process.
>  
>    * **Reproducer**: AI-based tools are often capable of generating reproducers.
>      Please always ensure your tool provides one and **test it thoroughly**. If
> diff --git a/Documentation/process/threat-model.rst b/Documentation/process/threat-model.rst
> index ecb432390e792..91da52f7114fd 100644
> --- a/Documentation/process/threat-model.rst
> +++ b/Documentation/process/threat-model.rst
> @@ -1,5 +1,3 @@
> -.. _threatmodel:
> -
>  The Linux Kernel threat model
>  =============================
>  
> -- 
> 2.53.0
>