Re: [PATCH v3 3/3] Documentation: security-bugs: clarify requirements for AI-assisted reports

Next message: Nishanth Menon: "Re: [PATCH v2] clk: keystone: don't cache clock rate"
Previous message: Ben Levinsky: "Re: [PATCH 1/4] remoteproc: add common wc-ioremap carveout callbacks"
In reply to: Willy Tarreau: "[PATCH v3 3/3] Documentation: security-bugs: clarify requirements for AI-assisted reports"
Next in thread: Greg KH: "Re: [PATCH v3 3/3] Documentation: security-bugs: clarify requirements for AI-assisted reports"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Jonathan Corbet

Date: Tue May 12 2026 - 13:22:07 EST

Willy Tarreau <w@xxxxxx> writes:

> AI tools are increasingly used to assist in bug discovery. While these
> tools can identify valid issues, reports that are submitted without
> manual verification often lack context, contain speculative impact
> assessments, or include unnecessary formatting. Such reports increase
> triage effort, waste maintainers' time and may be ignored.
>
> Reports where the reporter has verified the issue and the proposed fix
> typically meet quality standards. This documentation outlines specific
> requirements for length, formatting, and impact evaluation to reduce
> the effort needed to deal with these reports.
>
> Cc: Greg KH <gregkh@xxxxxxxxxxxxxxxxxxx>
> Acked-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
> Reviewed-by: Leon Romanovsky <leon@xxxxxxxxxx>
> Signed-off-by: Willy Tarreau <w@xxxxxx>
> ---
> Documentation/process/security-bugs.rst | 57 +++++++++++++++++++++++++
> 1 file changed, 57 insertions(+)

One nit:

> + * **Impact Evaluation**: Many AI-generated reports lack an understanding of
> + the kernel's threat model and go to great lengths inventing theoretical
> + consequences.

If only we had a shiny new document describing that threat model that we
could reference here... :)

Thanks,

jon