From nobody Sat Apr 11 11:55:06 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id A6CF0C6FA8E for ; Sun, 5 Mar 2023 22:02:04 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229743AbjCEWB6 (ORCPT ); Sun, 5 Mar 2023 17:01:58 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:57976 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229753AbjCEWBo (ORCPT ); Sun, 5 Mar 2023 17:01:44 -0500 Received: from mx0a-00069f02.pphosted.com (mx0a-00069f02.pphosted.com [205.220.165.32]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 7C89C1025B; Sun, 5 Mar 2023 14:01:43 -0800 (PST) Received: from pps.filterd (m0333521.ppops.net [127.0.0.1]) by mx0b-00069f02.pphosted.com (8.17.1.19/8.17.1.19) with ESMTP id 325LvtUB020022; Sun, 5 Mar 2023 22:00:42 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=from : to : cc : subject : date : message-id : in-reply-to : references : mime-version : content-transfer-encoding; s=corp-2022-7-12; bh=2m8H1ke5jWQAt4IxFD9cHEaOxnH7XK15MYG59dTVxBA=; b=lnWapAxQhx6qROlmQNLILRj3Lyaenfxxspvjkim7ogFdWZ2BVpHZ92h6GxENzpnZ7TkT RcrG8EWdtfztZCe8fJFgsP512afTzaUEvQTTXv7lUtqSWjFMY/EG8hwM4ObqeYsvDYDV wVilh1tRS1XFfvSTNefoHeFvbVHLrvibotjS6K4yGF2ElqQ3m1SVG3/n9qx4DwWrjqNQ L51UQh6G/L00tVu7PDywEiU0JQ5rv/gW7jHI0mPwdaXLATz46yVOJ390d6CG/U8u3z+q KOA5wuZQIgnIGKGCHpvCEbWxvzeP48pzjg2AyfrjNEtL+qhQBW1PAv515d9tfEvCoUSH eg== Received: from phxpaimrmta01.imrmtpd1.prodappphxaev1.oraclevcn.com (phxpaimrmta01.appoci.oracle.com [138.1.114.2]) by mx0b-00069f02.pphosted.com (PPS) with ESMTPS id 3p418xss7n-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Sun, 05 Mar 2023 22:00:41 +0000 Received: from pps.filterd (phxpaimrmta01.imrmtpd1.prodappphxaev1.oraclevcn.com [127.0.0.1]) by phxpaimrmta01.imrmtpd1.prodappphxaev1.oraclevcn.com (8.17.1.5/8.17.1.5) with ESMTP id 325IAIjd023468; Sun, 5 Mar 2023 22:00:40 GMT Received: from pps.reinject (localhost [127.0.0.1]) by phxpaimrmta01.imrmtpd1.prodappphxaev1.oraclevcn.com (PPS) with ESMTPS id 3p4u040mb8-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Sun, 05 Mar 2023 22:00:40 +0000 Received: from phxpaimrmta01.imrmtpd1.prodappphxaev1.oraclevcn.com (phxpaimrmta01.imrmtpd1.prodappphxaev1.oraclevcn.com [127.0.0.1]) by pps.reinject (8.17.1.5/8.17.1.5) with ESMTP id 325M0Nr3013622; Sun, 5 Mar 2023 22:00:40 GMT Received: from t460.home (dhcp-10-175-35-7.vpn.oracle.com [10.175.35.7]) by phxpaimrmta01.imrmtpd1.prodappphxaev1.oraclevcn.com (PPS) with ESMTP id 3p4u040ktj-3; Sun, 05 Mar 2023 22:00:39 +0000 From: Vegard Nossum To: Jonathan Corbet , linux-doc@vger.kernel.org, Jiri Kosina , Solar Designer , Will Deacon , Willy Tarreau Cc: Greg Kroah-Hartman , linux-kernel@vger.kernel.org, Amit Shah , Dave Hansen , David Woodhouse , "Gustavo A. R. Silva" , Kees Cook , Laura Abbott , Linus Torvalds , Mauro Carvalho Chehab , Paolo Bonzini , Peter Zijlstra , Thomas Gleixner , Thorsten Leemhuis , Tyler Hicks , Vegard Nossum Subject: [PATCH v3 2/7] Documentation/security-bugs: misc. improvements Date: Sun, 5 Mar 2023 23:00:05 +0100 Message-Id: <20230305220010.20895-3-vegard.nossum@oracle.com> X-Mailer: git-send-email 2.23.0.718.g5ad94255a8 In-Reply-To: <20230305220010.20895-1-vegard.nossum@oracle.com> References: <20230305220010.20895-1-vegard.nossum@oracle.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.219,Aquarius:18.0.942,Hydra:6.0.573,FMLib:17.11.170.22 definitions=2023-03-05_12,2023-03-03_01,2023-02-09_01 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 adultscore=0 mlxlogscore=999 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0 malwarescore=0 mlxscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2212070000 definitions=main-2303050192 X-Proofpoint-GUID: U5MPE3nB2NxnvuXxJgZF8zImAwqkISXj X-Proofpoint-ORIG-GUID: U5MPE3nB2NxnvuXxJgZF8zImAwqkISXj Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" This mostly just clarifies things and moves a few things around in preparation for the subsequent changes. Most notably, pull the "security@kernel.org" address up into the first paragraph as this the most vital piece of information in the whole document. Also fix a few markup issues. Signed-off-by: Vegard Nossum --- Documentation/process/security-bugs.rst | 37 ++++++++++++++----------- 1 file changed, 21 insertions(+), 16 deletions(-) diff --git a/Documentation/process/security-bugs.rst b/Documentation/proces= s/security-bugs.rst index 82e29837d589..f1326d4e9718 100644 --- a/Documentation/process/security-bugs.rst +++ b/Documentation/process/security-bugs.rst @@ -1,36 +1,41 @@ .. _securitybugs: =20 -Security bugs -=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D +Reporting security bugs +=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D =20 Linux kernel developers take security very seriously. As such, we'd like to know when a security bug is found so that it can be fixed and disclosed as quickly as possible. Please report security bugs to the -Linux kernel security team. +Linux kernel security team at security@kernel.org, henceforth +"the security list". This is a closed list of trusted developers who +will help verify the bug report and develop a patch in case none was +already proposed. =20 -Contact -------- +While the security list is closed, the security team may bring in extra +help from the relevant maintainers to understand and fix the security +vulnerability. =20 -The Linux kernel security team can be contacted by email at -. This is a private list of security officers -who will help verify the bug report and develop and release a fix. -If you already have a fix, please include it with your report, as -that can speed up the process considerably. It is possible that the -security team will bring in extra help from area maintainers to -understand and fix the security vulnerability. +Note that the main interest of the kernel security list is in getting +bugs fixed and getting patches reviewed, tested, and merged; CVE +assignment, disclosure to distributions, and public disclosure happen on +different lists with different people. + +Contacting the security list +---------------------------- =20 As it is with any bug, the more information provided the easier it will be to diagnose and fix. Please review the procedure outlined in -'Documentation/admin-guide/reporting-issues.rst' if you are unclear about = what +Documentation/admin-guide/reporting-issues.rst if you are unclear about wh= at information is helpful. Any exploit code is very helpful and will not be released without consent from the reporter unless it has already been -made public. +made public. Reporters are encouraged to propose patches, participate in = the +discussions of a fix, and test patches. =20 Please send plain text emails without attachments where possible. It is much harder to have a context-quoted discussion about a complex issue if all the details are hidden away in attachments. Think of it like= a -:doc:`regular patch submission <../process/submitting-patches>` -(even if you don't have a patch yet): describe the problem and impact, list +regular patch submission (see Documentation/process/submitting-patches.rst) +even if you don't have a patch yet; describe the problem and impact, list reproduction steps, and follow it with a proposed fix, all in plain text. =20 Disclosure and embargoed information --=20 2.40.0.rc1.2.gd15644fe02