Re: [PATCH v3 2/3] Documentation: security-bugs: explain what is and is not a security bug

[Willy Tarreau]

On Mon, May 11, 2026 at 07:28:57PM +0200, Greg KH wrote:
> On Sat, May 09, 2026 at 11:47:54AM +0200, Willy Tarreau wrote:
> > The use of automated tools to find bugs in random locations of the kernel
> > induces a raise of security reports even if most of them should just be
> > reported as regular bugs. This patch is an attempt at drawing a line
> > between what qualifies as a security bug and what does not, hoping to
> > improve the situation and ease decision on the reporter's side.
> > 
> > It defers the enumeration to a new file, threat-model.rst, that tries
> > to enumerate various classes of issues that are and are not security
> > bugs. This should permit to more easily update this file for various
> > subsystem-specific rules without having to revisit the security bug
> > reporting guide.
> > 
> > Cc: Greg KH <gregkh@xxxxxxxxxxxxxxxxxxx>
> > Cc: Leon Romanovsky <leon@xxxxxxxxxx>
> > Suggested-by: Leon Romanovsky <leon@xxxxxxxxxx>
> > Suggested-by: Greg KH <gregkh@xxxxxxxxxxxxxxxxxxx>
> > Reviewed-by: Leon Romanovsky <leon@xxxxxxxxxx>
> > Reviewed-by: Shuah Khan <skhan@xxxxxxxxxxxxxxxxxxx>
> > Signed-off-by: Willy Tarreau <w@xxxxxx>
> > ---
> >  Documentation/process/index.rst         |   1 +
> >  Documentation/process/security-bugs.rst |  38 +++-
> >  Documentation/process/threat-model.rst  | 236 ++++++++++++++++++++++++
> >  3 files changed, 274 insertions(+), 1 deletion(-)
> >  create mode 100644 Documentation/process/threat-model.rst
> 
> Looks great, thank you!
> 
> Reviewed-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
> 
> Want me to take it through one of my trees now to get it to Linus this
> week, or should it go through the documentation tree?  Either is fine
> with me.

Yes, please take it as usual, it's simpler for me and it will likely
allow it to be published ealier, which ultimately should help us
faster ;-)

Thanks!
Willy