Re: [PATCH] Documentation/security-bugs: overhaul

[Jonathan Corbet]

Vegard Nossum <vegard.nossum@xxxxxxxxxx> writes:

> The current instructions for reporting security vulnerabilities in the
> kernel are not clear enough, in particular the process of disclosure
> and requesting CVEs, and what the roles of the different lists are and
> how exactly to report to each of them.
>
> Let's give this document an overhaul. Goals are stated as a comment at
> the top of the document itself (these will not appear in the rendered
> document).

...but they do appear in the plain-text document, which must also be
readable.  Thus...

[...]

> diff --git a/Documentation/admin-guide/security-bugs.rst b/Documentation/admin-guide/security-bugs.rst
> index 82e29837d5898..5f37b3f1e77dc 100644
> --- a/Documentation/admin-guide/security-bugs.rst
> +++ b/Documentation/admin-guide/security-bugs.rst
> @@ -1,96 +1,175 @@
> +..
> +    If you modify this document, please consider the following:
> +    
> +    1) The most important information should be at the top (preferably in
> +    the opening paragraph). This means contacting <security@xxxxxxxxxx>;
> +    if somebody doesn't read any further than that, at least the security
> +    team will have the report.

I submit that you are breaking your own rule by putting this stuff at
the top of the document.  I'm not really convinced that you need it at
all - we don't normally include these sort of instructions - but if it
has to be here I would put it at the end.

[Haven't had a chance to look at the real material yet]

Thanks,

jon