Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

docs/linux: updated reporting security bugs - strictly follow [email protected] #5502

Open
wants to merge 1 commit into
base: master
Choose a base branch
from

Conversation

novitoll
Copy link
Contributor

Updated the documentation with:

Removed minor, major security bug classifications as now, CVE is assigned to the issue even it triggers WARN_ON with panic_on_warn enabled and reboots the system.

The updated reporting process strictly follows the [email protected] guideline.

Fixes: #4714

@novitoll
Copy link
Contributor Author

This is a strict version of #5461 which does not involve linux-distros, oss-security into the Linux kernel bus reporting process according to kernel.org recommendations. See the lore thread in this comment.

Updated the documentation with:

* vulnerability definition and kernel security bug description
* reporting security procedure per https://docs.kernel.org/process/security-bugs.html
* CVE assignment per https://www.kernel.org/doc/html/latest/process/cve.html
* and recent Greg K-H video from the recent conference - https://www.youtube.com/watch?v=KumwRn1BA6s

Removed minor, major security bug classifications as now,
CVE is assigned to the issue even it triggers WARN_ON with panic_on_warn
enabled and reboots the system.

The updated reporting process strictly follows the [email protected]
guideline.

Fixes: google#4714
@novitoll novitoll force-pushed the docs-linux-kernel-sec-4714-2 branch from 8943fc8 to 83f6aa3 Compare November 11, 2024 20:37
@novitoll novitoll changed the title docs/linux: updated reporting security bugs guide docs/linux: updated reporting security bugs - strictly follow [email protected] Nov 15, 2024
@xairy
Copy link
Collaborator

xairy commented Nov 17, 2024

I'd say we should keep to the existing workflow and just update the part about CVE assignments. Changing the process to only reporting bugs to [email protected] is quite one-sided: I have a feeling that people on linux-distros care about exploitable security problems way more than people on [email protected]. And keeping the announcements to oss-security makes sense too: there are people who monitor that list to get notified of impactful bugs (including me).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

docs: information about reporting Linux kernel security bugs is outdated
2 participants