Hi Greg,

I'm sending you the doc clarifications we discussed for the process of
reporting security issues. It's cut into the 3 patches I shared this
morning on the security list (plus two typos fixed and a paragraph
asking for one single issue per report):

  - one patch that reminds our need for a valid e-mail address
  - one that explains to reporters how to proceed to find maintainers
    addresses, hoping we won't have to do it for 90% of reports anymore
  - one that enumerates basic requirements for every report

I think it covers the difficulties we've faced this week. As always,
we might possibly find tiny adjustments to add, but my goal would be
for such updates to be merged in time to update the public page ASAP
so that we can redirect incomplete reports in an attempt to lower the
team's current load.

Thanks!
Willy

---

v2:
  - dropped quotes around a doc link and turned two relative doc links
    to absolute ones (thanks Randy).

---
Willy Tarreau (3):
  Documentation: minor updates to the security contacts
  Documentation: explain how to find maintainers addresses for security
    reports
  Documentation: clarify the mandatory and desirable info for security
    reports

 Documentation/process/security-bugs.rst | 147 +++++++++++++++++++++---
 1 file changed, 132 insertions(+), 15 deletions(-)

-- 
2.52.0

On Fri, Apr 03, 2026 at 08:20:15AM +0200, Willy Tarreau wrote:
> Hi Greg,
> 
> I'm sending you the doc clarifications we discussed for the process of
> reporting security issues. It's cut into the 3 patches I shared this
> morning on the security list (plus two typos fixed and a paragraph
> asking for one single issue per report):
> 
>   - one patch that reminds our need for a valid e-mail address
>   - one that explains to reporters how to proceed to find maintainers
>     addresses, hoping we won't have to do it for 90% of reports anymore
>   - one that enumerates basic requirements for every report
> 
> I think it covers the difficulties we've faced this week. As always,
> we might possibly find tiny adjustments to add, but my goal would be
> for such updates to be merged in time to update the public page ASAP
> so that we can redirect incomplete reports in an attempt to lower the
> team's current load.

Looks great, thanks.  I've applied these to one of my trees and will get
them to Linus in time for 7.0-final.

greg k-h

On Fri, Apr 03, 2026 at 01:11:47PM +0200, Greg KH wrote:
> On Fri, Apr 03, 2026 at 08:20:15AM +0200, Willy Tarreau wrote:
> > Hi Greg,
> > 
> > I'm sending you the doc clarifications we discussed for the process of
> > reporting security issues. It's cut into the 3 patches I shared this
> > morning on the security list (plus two typos fixed and a paragraph
> > asking for one single issue per report):
> > 
> >   - one patch that reminds our need for a valid e-mail address
> >   - one that explains to reporters how to proceed to find maintainers
> >     addresses, hoping we won't have to do it for 90% of reports anymore
> >   - one that enumerates basic requirements for every report
> > 
> > I think it covers the difficulties we've faced this week. As always,
> > we might possibly find tiny adjustments to add, but my goal would be
> > for such updates to be merged in time to update the public page ASAP
> > so that we can redirect incomplete reports in an attempt to lower the
> > team's current load.
> 
> Looks great, thanks.  I've applied these to one of my trees and will get
> them to Linus in time for 7.0-final.

Thank you!
Willy