From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on archive.lwn.net X-Spam-Level: X-Spam-Status: No, score=-4.8 required=5.0 tests=HEADER_FROM_DIFFERENT_DOMAINS, RCVD_IN_DNSWL_HI,T_RP_MATCHES_RCVD autolearn=ham autolearn_force=no version=3.4.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by archive.lwn.net (Postfix) with ESMTP id B7B2B7E686 for ; Tue, 6 Mar 2018 23:32:37 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1754151AbeCFXch (ORCPT ); Tue, 6 Mar 2018 18:32:37 -0500 Received: from mga11.intel.com ([192.55.52.93]:35013 "EHLO mga11.intel.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1754019AbeCFXcg (ORCPT ); Tue, 6 Mar 2018 18:32:36 -0500 X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from orsmga005.jf.intel.com ([10.7.209.41]) by fmsmga102.fm.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 06 Mar 2018 15:32:35 -0800 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.47,433,1515484800"; d="scan'208";a="206044826" Received: from viggo.jf.intel.com (HELO localhost.localdomain) ([10.54.39.119]) by orsmga005.jf.intel.com with ESMTP; 06 Mar 2018 15:32:35 -0800 Subject: [PATCH] docs: clarify security-bugs disclosure policy To: linux-kernel@vger.kernel.org Cc: Dave Hansen , tglx@linutronix.de, gregkh@linuxfoundation.org, torvalds@linux-foundation.org, gnomes@lxorguk.ukuu.org.uk, aarcange@redhat.com, luto@kernel.org, keescook@google.com, tim.c.chen@linux.intel.com, dan.j.williams@intel.com, viro@zeniv.linux.org.uk, akpm@linux-foundation.org, linux-doc@vger.kernel.org, corbet@lwn.net, mark.rutland@arm.com From: Dave Hansen Date: Tue, 06 Mar 2018 15:31:40 -0800 Message-Id: <20180306233140.268BD8E1@viggo.jf.intel.com> Sender: linux-doc-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-doc@vger.kernel.org From: Dave Hansen I think we need to soften the language a bit. It might scare folks off, especially the: We prefer to fully disclose the bug as soon as possible. which is not really the case. As Greg mentioned in private mail, we really do not prefer to disclose things until *after* a fix. The whole "we have the final say" is also a bit harsh. Signed-off-by: Dave Hansen Cc: Thomas Gleixner Cc: Greg Kroah-Hartman Cc: Linus Torvalds Cc: Alan Cox Cc: Andrea Arcangeli Cc: Andy Lutomirski Cc: Kees Cook Cc: Tim Chen Cc: Dan Williams Cc: Alexander Viro Cc: Andrew Morton Cc: linux-doc@vger.kernel.org Cc: Jonathan Corbet Cc: Mark Rutland --- b/Documentation/admin-guide/security-bugs.rst | 26 +++++++++++++++----------- 1 file changed, 15 insertions(+), 11 deletions(-) diff -puN Documentation/admin-guide/security-bugs.rst~embargo Documentation/admin-guide/security-bugs.rst --- a/Documentation/admin-guide/security-bugs.rst~embargo 2018-03-06 14:47:04.519431230 -0800 +++ b/Documentation/admin-guide/security-bugs.rst 2018-03-06 14:57:46.410429629 -0800 @@ -29,18 +29,22 @@ made public. Disclosure ---------- -The goal of the Linux kernel security team is to work with the -bug submitter to bug resolution as well as disclosure. We prefer -to fully disclose the bug as soon as possible. It is reasonable to -delay disclosure when the bug or the fix is not yet fully understood, -the solution is not well-tested or for vendor coordination. However, we -expect these delays to be short, measurable in days, not weeks or months. +The goal of the Linux kernel security team is to work with the bug +submitter to bug resolution as well as disclosure. We prefer to fully +disclose the bug as soon as possible after a fix is available. It is +customary to delay disclosure when the bug or the fix is not yet fully +understood, the solution is not well-tested or for vendor coordination. +However, we expect these delays to typically be short, measurable in +days, not weeks or months. + A disclosure date is negotiated by the security team working with the -bug submitter as well as vendors. However, the kernel security team -holds the final say when setting a disclosure date. The timeframe for -disclosure is from immediate (esp. if it's already publicly known) -to a few weeks. As a basic default policy, we expect report date to -disclosure date to be on the order of 7 days. +bug submitter as well as affected vendors. The security team prefers +coordinated disclosure and will consider pre-existing, reasonable +disclosure dates. + +The timeframe for disclosure ranges from immediate (esp. if it's +already publicly known) to a few weeks. As a basic default policy, we +expect report date to disclosure date to be on the order of 7 days. Coordination ------------ _ -- To unsubscribe from this list: send the line "unsubscribe linux-doc" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html