Skip to content

Commit

Permalink
docs/linux: updated reporting security bugs guide
Browse files Browse the repository at this point in the history 
Updated the documentation with:

* vulnerability definition and kernel security bug description
* reporting security procedure per https://docs.kernel.org/process/security-bugs.html
* CVE assignment per https://www.kernel.org/doc/html/latest/process/cve.html,
	and recent Greg K-H video from the recent conference,
	https://www.youtube.com/watch?v=KumwRn1BA6s
* reporting to linux-distros per https://oss-security.openwall.org/wiki/mailing-lists/distros

Removed minor, major security bug classifications as now, CVE is assigned to
the issue even it triggers WARN_ON with panic_on_warn enabled and
reboots the system.

Since there are 4 different parties with own interests:
- security@kernel.org wants to release the fix ASAP, but can be
  postponed if the reporter asks an embargo period to let linux-distros
  update their kernels.

- linux-distros@vs.openwall.org is included in the mailing list, once
  the fix is developed, but NOT merged in the stable tree

Once the fix lands on the stable tree, security@kernel.org should not be
mentioned in the conversation as they don't have any further interests.

- oss-security@lists.openwall.com is notified once the fix is publicly
  merged to the stable tree

- cve@kernel.org is notified if the CVE should be assigned to the fix
  which is publicly merged to the stable tree.

Fixes: google#4714
  • Loading branch information
@novitoll
novitoll committed Nov 4, 2024
1 parent f00eed2 commit 0bf5790
Show file tree
Hide file tree
Showing 3 changed files with 389 additions and 44 deletions.
Loading

0 comments on commit 0bf5790

Please sign in to comment.