Re: [PATCH v3 4/7] Documentation/security-bugs: add linux-distros and oss-security sections
From: Greg Kroah-Hartman
Date: Mon Mar 06 2023 - 01:08:46 EST
On Sun, Mar 05, 2023 at 11:00:07PM +0100, Vegard Nossum wrote:
> The existing information about CVE assignment requests and coordinated
> disclosure fits much better in these new sections, since that's what these
> lists are for.
>
> Keep just a reminder in the security list section.
>
> Signed-off-by: Vegard Nossum <vegard.nossum@xxxxxxxxxx>
> ---
> Documentation/process/security-bugs.rst | 92 ++++++++++++++++++-------
> 1 file changed, 67 insertions(+), 25 deletions(-)
>
> diff --git a/Documentation/process/security-bugs.rst b/Documentation/process/security-bugs.rst
> index fb156d146c42..2dd6569a7abb 100644
> --- a/Documentation/process/security-bugs.rst
> +++ b/Documentation/process/security-bugs.rst
> @@ -31,6 +31,10 @@ be released without consent from the reporter unless it has already been
> made public. Reporters are encouraged to propose patches, participate in the
> discussions of a fix, and test patches.
>
> +The security team does not assign CVEs, nor does it require them for reports
> +or fixes. CVEs may be requested when the issue is reported to the
> +linux-distros list.
Note, this kind of implies that the security team would be the one whom
you request a CVE from. We can't do that, nor do we ever even want to
deal with that for obvious reasons. Also, who is to say that CVEs are
even anything anyone should be messing with in the first place given how
much they are abused and irrelevant most of the time?
So I would just keep a big "The kernel developer community does not deal
with CVEs at all. If you want one for your résumé/CV, please contact
MITRE directly at your own risk." type of warning in the document and
leave it at that.
thanks,
greg k-h