Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
docs/linux: updated reporting security bugs guide
Updated the documentation with: * vulnerability definition and kernel security bug description * reporting security procedure per https://docs.kernel.org/process/security-bugs.html * CVE assignment per https://www.kernel.org/doc/html/latest/process/cve.html, and recent Greg K-H video from the recent conference, https://www.youtube.com/watch?v=KumwRn1BA6s * reporting to linux-distros per https://oss-security.openwall.org/wiki/mailing-lists/distros Removed minor, major security bug classifications as now, CVE is assigned to the issue even it triggers WARN_ON with panic_on_warn enabled and reboots the system. Since there are 4 different parties with own interests: - [email protected] wants to release the fix ASAP, but can be postponed if the reporter asks an embargo period to let linux-distros update their kernels. - [email protected] is included in the mailing list, once the fix is developed, but NOT merged in the stable tree Once the fix lands on the stable tree, [email protected] should not be mentioned in the conversation as they don't have any further interests. - [email protected] is notified once the fix is publicly merged to the stable tree - [email protected] is notified if the CVE should be assigned to the fix which is publicly merged to the stable tree. Fixes: google#4714
- Loading branch information
