From: Kees Cook <keescook@chromium.org>
To: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: linux-doc@vger.kernel.org, linux-kernel@vger.kernel.org,
security@kernel.org, corbet@lwn.net, workflows@vger.kernel.org
Subject: Re: [PATCH 2/2] Documentation: security-bugs.rst: clarify CVE handling
Date: Fri, 30 Jun 2023 11:18:37 -0700 [thread overview]
Message-ID: <202306301114.E199B136@keescook> (raw)
In-Reply-To: <2023063022-retouch-kerosene-7e4a@gregkh>
On Fri, Jun 30, 2023 at 09:14:21AM +0200, Greg Kroah-Hartman wrote:
> The kernel security team does NOT assign CVEs, so document that properly
> and provide the "if you want one, ask MITRE for it" response that we
> give on a weekly basis in the document, so we don't have to constantly
> say it to everyone who asks.
>
> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
> ---
> Documentation/process/security-bugs.rst | 11 ++++-------
> 1 file changed, 4 insertions(+), 7 deletions(-)
>
> diff --git a/Documentation/process/security-bugs.rst b/Documentation/process/security-bugs.rst
> index f12ac2316ce7..8b80e1eb7d79 100644
> --- a/Documentation/process/security-bugs.rst
> +++ b/Documentation/process/security-bugs.rst
> @@ -79,13 +79,10 @@ not contribute to actually fixing any potential security problems.
> CVE assignment
> --------------
>
> -The security team does not normally assign CVEs, nor do we require them
> -for reports or fixes, as this can needlessly complicate the process and
> -may delay the bug handling. If a reporter wishes to have a CVE identifier
> -assigned ahead of public disclosure, they will need to contact the private
> -linux-distros list, described above. When such a CVE identifier is known
> -before a patch is provided, it is desirable to mention it in the commit
> -message if the reporter agrees.
> +The security team does not assign CVEs, nor do we require them for
> +reports or fixes, as this can needlessly complicate the process and may
> +delay the bug handling. If a reporter wishes to have a CVE identifier
> +assigned, they should contact MITRE directly.
Hmm. The language about "assigned ahead of public disclosure" was added
intentionally due to trouble we'd had with coordination when a CVE was
needed, etc. Additionally, it IS preferred to have a CVE in a patch when
it IS known ahead of time, so I think that should be kept. How about
this:
diff --git a/Documentation/process/security-bugs.rst b/Documentation/process/security-bugs.rst
index 82e29837d589..2f4060d49b31 100644
--- a/Documentation/process/security-bugs.rst
+++ b/Documentation/process/security-bugs.rst
@@ -81,13 +81,12 @@ the email Subject line with "[vs]" as described in the linux-distros wiki:
CVE assignment
--------------
-The security team does not normally assign CVEs, nor do we require them
-for reports or fixes, as this can needlessly complicate the process and
-may delay the bug handling. If a reporter wishes to have a CVE identifier
-assigned ahead of public disclosure, they will need to contact the private
-linux-distros list, described above. When such a CVE identifier is known
-before a patch is provided, it is desirable to mention it in the commit
-message if the reporter agrees.
+The security team does not assign CVEs, nor do we require them for reports
+or fixes, as this can needlessly complicate the process and may delay
+the bug handling. If a reporter wishes to have a CVE identifier assigned
+ahead of public disclosure, they will need to contact MITRE directly.
+When such a CVE identifier is known before a patch is provided, it is
+desirable to mention it in the commit message if the reporter agrees.
Non-disclosure agreements
-------------------------
--
Kees Cook
next prev parent reply other threads:[~2023-06-30 18:18 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-06-30 7:14 [PATCH 1/2] Documentation: security-bugs.rst: update preferences when dealing with the linux-distros group Greg Kroah-Hartman
2023-06-30 7:14 ` [PATCH 2/2] Documentation: security-bugs.rst: clarify CVE handling Greg Kroah-Hartman
2023-06-30 7:21 ` Greg Kroah-Hartman
2023-06-30 18:18 ` Kees Cook [this message]
2023-07-02 12:39 ` Greg Kroah-Hartman
2023-07-03 4:08 ` Willy Tarreau
2023-07-03 15:00 ` Greg Kroah-Hartman
2023-07-03 18:35 ` Kees Cook
2023-07-03 19:05 ` Greg Kroah-Hartman
2023-07-03 19:26 ` Kees Cook
2023-07-03 19:35 ` Willy Tarreau
2023-06-30 18:14 ` [PATCH 1/2] Documentation: security-bugs.rst: update preferences when dealing with the linux-distros group Kees Cook
2023-07-03 15:00 ` Greg Kroah-Hartman
2023-07-03 15:01 ` Greg Kroah-Hartman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=202306301114.E199B136@keescook \
--to=keescook@chromium.org \
--cc=corbet@lwn.net \
--cc=gregkh@linuxfoundation.org \
--cc=linux-doc@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=security@kernel.org \
--cc=workflows@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.