From: Jonathan Corbet <corbet@lwn.net>
To: Vegard Nossum <vegard.nossum@oracle.com>, linux-doc@vger.kernel.org
Cc: linux-kernel@vger.kernel.org,
Vegard Nossum <vegard.nossum@oracle.com>,
Amit Shah <aams@amazon.com>,
Dave Hansen <dave.hansen@linux.intel.com>,
David Woodhouse <dwmw@amazon.co.uk>,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
"Gustavo A . R . Silva" <gustavoars@kernel.org>,
Jiri Kosina <jkosina@suse.cz>, Kees Cook <keescook@chromium.org>,
Linus Torvalds <torvalds@linux-foundation.org>,
Mauro Carvalho Chehab <mchehab@kernel.org>,
Paolo Bonzini <pbonzini@redhat.com>,
Peter Zijlstra <peterz@infradead.org>,
Solar Designer <solar@openwall.com>,
Thomas Gleixner <tglx@linutronix.de>,
Thorsten Leemhuis <linux@leemhuis.info>,
Will Deacon <will@kernel.org>, Willy Tarreau <w@1wt.eu>
Subject: Re: [PATCH] Documentation/security-bugs: overhaul
Date: Wed, 01 Jun 2022 10:58:50 -0600 [thread overview]
Message-ID: <87fsko48xh.fsf@meer.lwn.net> (raw)
In-Reply-To: <20220531230309.9290-1-vegard.nossum@oracle.com>
Vegard Nossum <vegard.nossum@oracle.com> writes:
> The current instructions for reporting security vulnerabilities in the
> kernel are not clear enough, in particular the process of disclosure
> and requesting CVEs, and what the roles of the different lists are and
> how exactly to report to each of them.
>
> Let's give this document an overhaul. Goals are stated as a comment at
> the top of the document itself (these will not appear in the rendered
> document).
OK, some other thoughts...
[...]
> +Linux kernel security team at security@kernel.org, henceforth "the
> +security list". This is a closed list of trusted developers who will
> +help verify the bug report and develop a patch.
> +
> +While the security list is closed, the security team may bring in
> +extra help from the relevant maintainers to understand and fix the
> +security vulnerability.
> +
> +Note that the main interest of the kernel security list is in getting
> +bugs fixed; CVE assignment, disclosure to distributions, and public
> +disclosure happens on different lists with different people.
Adding "as described below" or some such might be helpful for readers
who are mostly interested in those things.
> +Here is a quick overview of the various lists:
> +
> +.. list-table::
> + :widths: 35 10 20 35
> + :header-rows: 1
> +
> + * - List address
> + - Open?
> + - Purpose
> + - Members
> + * - security@kernel.org
> + - Closed
> + - Reporting; patch development
> + - Trusted kernel developers
> + * - linux-distros@vs.openwall.org
> + - Closed
> + - Coordination; CVE assignment; patch development, testing, and backporting
> + - Linux distribution representatives
> + * - oss-security@lists.openwall.com
> + - Public
> + - Disclosure
> + - General public
Please don't use list-table, that's totally unreadable in the plain-text
format. How about something like:
=============================== ===== ================= ===============
List address Open? Purpose Members
=============================== ===== ================= ===============
security@kernel.org no Reporting Trusted kernel
developers
Patch development
linux-distros@vs.openwall.org no Coordination Distribution
representatives
CVE assignment
Patch development
Testing
Backporting
oss-security@lists.openwall.com yes Disclosure General public
=============================== ===== ================= ===============
(Note I haven't tried to format this, there's probably an error in there
somewhere).
> +The following sections give a step-by-step guide to reporting and
> +disclosure.
> +
> +Contacting the security list
> +----------------------------
> +
> +As it is with any bug, the more information provided the easier it will
> +be to diagnose and fix; please review the procedure outlined in
> +Documentation/admin-guide/reporting-issues.rst if you are unclear about
> +what information is helpful. Any exploit code is very helpful and will
> +not be released without consent from the reporter unless it has already
> +been made public.
> +
> +The security team does not assign CVEs, nor does it require them
> +for reports or fixes. CVEs may be requested when the issue is reported to
> +the linux-distros list.
> +
> +**Disclosure.** The security list prefers to merge fixes into the
> +appropriate public git repository as soon as they become available.
More to the point, the idea is to get *review attention* onto the
patches, presumably before they are commited to some repo, right?
That's my understanding from the oss-security discussion, anyway. So
the first disclosure may not be when it shows up in a repo, as suggested
here.
[...]
> +Once a patch has been developed, you are encouraged to contact the
> +linux-distros list; see below.
Nit: "see below" seems unnecessary when "below" is the next line down
> +Contacting the linux-distros list
> +---------------------------------
> +
> +Fixes for particularly sensitive bugs (such as those that might lead to
> +privilege escalations) may need to be coordinated with the private
> +linux-distros mailing list (linux-distros@vs.openwall.org) so that
> +distribution vendors are well prepared to release a fixed kernel as soon
> +as possible after the public disclosure of the upstream fix. This
> +includes verifying the reported issue, testing proposed fixes,
> +developing a fix (if none is known yet), and backporting to older kernels
> +and other versions.
> +
> +The linux-distros list can also help with assigning a CVE for your issue.
> +
> +**Disclosure.** The linux-distros list has a strict policy of requiring
> +reporters to post about the security issue on oss-security within 14 days
> +of the list being contacted regardless of whether a patch is available or
> +not. It is therefore preferable that you don't send your initial bug
> +report to the linux-distros list unless you already have a patch for the
> +issue.
> +
> +**List rules.** The main rules to be aware of when contacting the
> +linux-distros list are:
So this seems certain to go out of date when the other list's rules
change. I wonder if it would be better just to tell readers they need
to be aware of that list's rules and give a pointer?
Thanks,
jon
next prev parent reply other threads:[~2022-06-01 16:58 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-05-31 23:03 [PATCH] Documentation/security-bugs: overhaul Vegard Nossum
2022-06-01 3:12 ` Willy Tarreau
2022-06-02 15:34 ` Vegard Nossum
2022-06-03 6:49 ` Willy Tarreau
2022-06-06 14:21 ` Vegard Nossum
2022-06-06 15:07 ` Willy Tarreau
2022-06-01 13:38 ` Jonathan Corbet
2022-06-01 16:58 ` Jonathan Corbet [this message]
2022-06-02 17:53 ` Vegard Nossum
2022-06-04 0:43 ` Mauro Carvalho Chehab
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87fsko48xh.fsf@meer.lwn.net \
--to=corbet@lwn.net \
--cc=aams@amazon.com \
--cc=dave.hansen@linux.intel.com \
--cc=dwmw@amazon.co.uk \
--cc=gregkh@linuxfoundation.org \
--cc=gustavoars@kernel.org \
--cc=jkosina@suse.cz \
--cc=keescook@chromium.org \
--cc=linux-doc@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux@leemhuis.info \
--cc=mchehab@kernel.org \
--cc=pbonzini@redhat.com \
--cc=peterz@infradead.org \
--cc=solar@openwall.com \
--cc=tglx@linutronix.de \
--cc=torvalds@linux-foundation.org \
--cc=vegard.nossum@oracle.com \
--cc=w@1wt.eu \
--cc=will@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).