Re: [qemu-web RFC 2/3] contribute: add automate tool disclosure to bug reporting

["Michael S. Tsirkin" <mst@redhat.com>]

On Thu, Jun 04, 2026 at 05:50:47PM +0100, Daniel P. Berrangé wrote:
> A while back we added a requirement to declare the use of any
> automated tooling used in discover of security issues, and set
> a rule that the reporter must perform triage before submission
> rather than blindly reporting issues. This applies equally
> well to normal issue reporting, so copy it over from the
> security process guidance.
> 
> Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>


Acked-by: Michael S. Tsirkin <mst@redhat.com>

Maybe .gitlab/issue_templates/bug.md should be updated then?

> ---
>  contribute/report-a-bug.md | 7 +++++++
>  1 file changed, 7 insertions(+)
> 
> diff --git a/contribute/report-a-bug.md b/contribute/report-a-bug.md
> index 6071837..fd3bc6b 100644
> --- a/contribute/report-a-bug.md
> +++ b/contribute/report-a-bug.md
> @@ -20,6 +20,13 @@ on GitLab, taking into account the following guidance.
>    to the vendor's own bug tracker instead, or reproduced with
>    an upstream QEMU build prior to submission.
>  
> +* If any automated tools (AI/LLM based, traditional static
> +  analysis, or fuzzers) were used to discover the issue, the
> +  reporter is required to declare this at the start of the
> +  bug report. Users of such tools are required to perform
> +  triage of their output to validate all findings and reproducer
> +  scenarios prior to submitting a bug report.
> +
>  * Reproduce the problem directly with a QEMU command-line. Avoid
>    frontends and management stacks, to ensure that the bug is in
>    QEMU itself and not in a frontend and make it easier for
> -- 
> 2.54.0