Re: [PATCH] Documentation/security-bugs: overhaul
From: Jonathan Corbet
Date: Wed Jun 01 2022 - 09:38:02 EST
Vegard Nossum <vegard.nossum@xxxxxxxxxx> writes:
> The current instructions for reporting security vulnerabilities in the
> kernel are not clear enough, in particular the process of disclosure
> and requesting CVEs, and what the roles of the different lists are and
> how exactly to report to each of them.
>
> Let's give this document an overhaul. Goals are stated as a comment at
> the top of the document itself (these will not appear in the rendered
> document).
...but they do appear in the plain-text document, which must also be
readable. Thus...
[...]
> diff --git a/Documentation/admin-guide/security-bugs.rst b/Documentation/admin-guide/security-bugs.rst
> index 82e29837d5898..5f37b3f1e77dc 100644
> --- a/Documentation/admin-guide/security-bugs.rst
> +++ b/Documentation/admin-guide/security-bugs.rst
> @@ -1,96 +1,175 @@
> +..
> + If you modify this document, please consider the following:
> +
> + 1) The most important information should be at the top (preferably in
> + the opening paragraph). This means contacting <security@xxxxxxxxxx>;
> + if somebody doesn't read any further than that, at least the security
> + team will have the report.
I submit that you are breaking your own rule by putting this stuff at
the top of the document. I'm not really convinced that you need it at
all - we don't normally include these sort of instructions - but if it
has to be here I would put it at the end.
[Haven't had a chance to look at the real material yet]
Thanks,
jon