Skip to content

Commit

Permalink
docs/linux: updated reporting security bugs guide
Browse files Browse the repository at this point in the history
Updated the documentation with:

* vulnerability definition and kernel security bug description
* reporting security procedure per https://docs.kernel.org/process/security-bugs.html
* CVE assignment per https://www.kernel.org/doc/html/latest/process/cve.html,
	and recent Greg K-H video from the recent conference,
	https://www.youtube.com/watch?v=KumwRn1BA6s
* reporting to linux-distros per https://oss-security.openwall.org/wiki/mailing-lists/distros

Removed minor, major security bug classifications as now, CVE is assigned to
the issue even it triggers WARN_ON with panic_on_warn enabled and
reboots the system.

Since there are 4 different parties with own interests:
- [email protected] wants to release the fix ASAP, but can be
  postponed if the reporter asks an embargo period to let linux-distros
  update their kernels.

- [email protected] is included in the mailing list, once
  the fix is developed, but NOT merged in the stable tree

Once the fix lands on the stable tree, [email protected] should not be
mentioned in the conversation as they don't have any further interests.

- [email protected] is notified once the fix is publicly
  merged to the stable tree

- [email protected] is notified if the CVE should be assigned to the fix
  which is publicly merged to the stable tree.

Fixes: google#4714
  • Loading branch information
novitoll committed Nov 6, 2024
1 parent f00eed2 commit 13a8d7b
Show file tree
Hide file tree
Showing 3 changed files with 391 additions and 44 deletions.
Loading

0 comments on commit 13a8d7b

Please sign in to comment.