[PATCH] Documentation: insist on the plain-text requirement for security reports

[PATCH] Documentation: insist on the plain-text requirement for security reports

[Willy Tarreau]

As the trend of AI-generated reports is growing, the trend of unreadable
reports in gimmicky formats is following, and we cannot request that
developers rely on online viewers to be able to read a security report
full for formatting tags. Let's just insist on the plain text requirement
a bit more.

Signed-off-by: Willy Tarreau <w@1wt.eu>
---
 Documentation/process/security-bugs.rst | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/Documentation/process/security-bugs.rst b/Documentation/process/security-bugs.rst
index 84657e7d2e5b..c0cf93e11565 100644
--- a/Documentation/process/security-bugs.rst
+++ b/Documentation/process/security-bugs.rst
@@ -33,12 +33,16 @@ that can speed up the process considerably.  It is possible that the
 security team will bring in extra help from area maintainers to
 understand and fix the security vulnerability.
 
-Please send plain text emails without attachments where possible.
+Please send **plain text** emails without attachments where possible.
 It is much harder to have a context-quoted discussion about a complex
 issue if all the details are hidden away in attachments.  Think of it like a
 :doc:`regular patch submission <../process/submitting-patches>`
 (even if you don't have a patch yet): describe the problem and impact, list
 reproduction steps, and follow it with a proposed fix, all in plain text.
+Markdown, HTML and RST formatted reports are particularly frowned upon since
+they're quite hard to read for humans and encourage to use dedicated viewers,
+sometimes online, which by definition is not acceptable for a confidential
+security report.
 
 Disclosure and embargoed information
 ------------------------------------
-- 
2.17.5

Re: [PATCH] Documentation: insist on the plain-text requirement for security reports

[Greg KH]

On Sat, Nov 29, 2025 at 03:17:41PM +0100, Willy Tarreau wrote:
> As the trend of AI-generated reports is growing, the trend of unreadable
> reports in gimmicky formats is following, and we cannot request that
> developers rely on online viewers to be able to read a security report
> full for formatting tags. Let's just insist on the plain text requirement
> a bit more.
> 
> Signed-off-by: Willy Tarreau <w@1wt.eu>
> ---
>  Documentation/process/security-bugs.rst | 6 +++++-
>  1 file changed, 5 insertions(+), 1 deletion(-)

Looks good to me!  Given the number of non-plain-text emails with binary
attachments we still get there, it's obvious not many people seem to
read this file, but it can't hurt!  :)

I'll queue this up if Jon doesn't, after -rc1 is out.  If he wants to
take it, here's my:

Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

Re: [PATCH] Documentation: insist on the plain-text requirement for security reports

[Willy Tarreau]

On Mon, Dec 01, 2025 at 07:38:17AM +0100, Greg KH wrote:
> On Sat, Nov 29, 2025 at 03:17:41PM +0100, Willy Tarreau wrote:
> > As the trend of AI-generated reports is growing, the trend of unreadable
> > reports in gimmicky formats is following, and we cannot request that
> > developers rely on online viewers to be able to read a security report
> > full for formatting tags. Let's just insist on the plain text requirement
> > a bit more.
> > 
> > Signed-off-by: Willy Tarreau <w@1wt.eu>
> > ---
> >  Documentation/process/security-bugs.rst | 6 +++++-
> >  1 file changed, 5 insertions(+), 1 deletion(-)
> 
> Looks good to me!  Given the number of non-plain-text emails with binary
> attachments we still get there, it's obvious not many people seem to
> read this file, but it can't hurt!  :)

At least it gives us a place to point to, saying "look at the rules".

> I'll queue this up if Jon doesn't, after -rc1 is out.  If he wants to
> take it, here's my:
> 
> Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

Thanks! Oh BTW I'm noticing a typo in the commit message above
"full for" instead of "full of". Feel free to adjust it while
applying, though it's really not important (and no, I won't
respin a patch just for this :-)).

Willy

Re: [PATCH] Documentation: insist on the plain-text requirement for security reports

[Jonathan Corbet]

Greg KH <gregkh@linuxfoundation.org> writes:

> On Sat, Nov 29, 2025 at 03:17:41PM +0100, Willy Tarreau wrote:
>> As the trend of AI-generated reports is growing, the trend of unreadable
>> reports in gimmicky formats is following, and we cannot request that
>> developers rely on online viewers to be able to read a security report
>> full for formatting tags. Let's just insist on the plain text requirement
>> a bit more.
>> 
>> Signed-off-by: Willy Tarreau <w@1wt.eu>
>> ---
>>  Documentation/process/security-bugs.rst | 6 +++++-
>>  1 file changed, 5 insertions(+), 1 deletion(-)
>
> Looks good to me!  Given the number of non-plain-text emails with binary
> attachments we still get there, it's obvious not many people seem to
> read this file, but it can't hurt!  :)
>
> I'll queue this up if Jon doesn't, after -rc1 is out.  If he wants to
> take it, here's my:
>
> Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

I grabbed it, thanks.

jon

Re: [PATCH] Documentation: insist on the plain-text requirement for security reports

[Ingo Molnar]

* Willy Tarreau <w@1wt.eu> wrote:

> As the trend of AI-generated reports is growing, the trend of unreadable
> reports in gimmicky formats is following, and we cannot request that
> developers rely on online viewers to be able to read a security report
> full for formatting tags. Let's just insist on the plain text requirement
> a bit more.
> 
> Signed-off-by: Willy Tarreau <w@1wt.eu>
> ---
>  Documentation/process/security-bugs.rst | 6 +++++-
>  1 file changed, 5 insertions(+), 1 deletion(-)
> 
> diff --git a/Documentation/process/security-bugs.rst b/Documentation/process/security-bugs.rst
> index 84657e7d2e5b..c0cf93e11565 100644
> --- a/Documentation/process/security-bugs.rst
> +++ b/Documentation/process/security-bugs.rst
> @@ -33,12 +33,16 @@ that can speed up the process considerably.  It is possible that the
>  security team will bring in extra help from area maintainers to
>  understand and fix the security vulnerability.
>  
> -Please send plain text emails without attachments where possible.
> +Please send **plain text** emails without attachments where possible.

So maybe part of the confusion is that this sentence 
can be read permissively, depending how the 'where 
possible' qualifier is interpreted:

    Please send plain text emails without attachments, 
    where possible.

Note how "it's not possible because my report is in 
PDF" seems to allow for that in the permissive reading.

What that sentence should really say is something like:

   Please send plain text emails only. Please do not 
   include any attachments, where possible.

This makes it clear that only plain text emails are 
acceptable.

Ie. something like the patch below?

Thanks,

	Ingo

============================================>
Signed-off-by: Ingo Molnar <mingo@kernel.org>

 Documentation/process/security-bugs.rst | 12 ++++++++----
 1 file changed, 8 insertions(+), 4 deletions(-)

diff --git a/Documentation/process/security-bugs.rst b/Documentation/process/security-bugs.rst
index 84657e7d2e5b..4a76928a700e 100644
--- a/Documentation/process/security-bugs.rst
+++ b/Documentation/process/security-bugs.rst
@@ -33,12 +33,16 @@ that can speed up the process considerably.  It is possible that the
 security team will bring in extra help from area maintainers to
 understand and fix the security vulnerability.
 
-Please send plain text emails without attachments where possible.
-It is much harder to have a context-quoted discussion about a complex
-issue if all the details are hidden away in attachments.  Think of it like a
-:doc:`regular patch submission <../process/submitting-patches>`
+Please send **plain text** emails only. Please do not include any
+attachments, where possible.  It is much harder to have a context-quoted
+discussion about a complex issue if all the details are hidden away
+in attachments.  Think of it like a :doc:`regular patch submission <../process/submitting-patches>`
 (even if you don't have a patch yet): describe the problem and impact, list
 reproduction steps, and follow it with a proposed fix, all in plain text.
+Markdown, HTML and RST formatted reports are particularly frowned upon since
+they're quite hard to read for humans and encourage to use dedicated viewers,
+sometimes online, which by definition is not acceptable for a confidential
+security report.
 
 Disclosure and embargoed information
 ------------------------------------

Re: [PATCH] Documentation: insist on the plain-text requirement for security reports

[Willy Tarreau]

Hi Ingo,

On Mon, Dec 01, 2025 at 09:47:01PM +0100, Ingo Molnar wrote:
> 
> * Willy Tarreau <w@1wt.eu> wrote:
> 
> > As the trend of AI-generated reports is growing, the trend of unreadable
> > reports in gimmicky formats is following, and we cannot request that
> > developers rely on online viewers to be able to read a security report
> > full for formatting tags. Let's just insist on the plain text requirement
> > a bit more.
> > 
> > Signed-off-by: Willy Tarreau <w@1wt.eu>
> > ---
> >  Documentation/process/security-bugs.rst | 6 +++++-
> >  1 file changed, 5 insertions(+), 1 deletion(-)
> > 
> > diff --git a/Documentation/process/security-bugs.rst b/Documentation/process/security-bugs.rst
> > index 84657e7d2e5b..c0cf93e11565 100644
> > --- a/Documentation/process/security-bugs.rst
> > +++ b/Documentation/process/security-bugs.rst
> > @@ -33,12 +33,16 @@ that can speed up the process considerably.  It is possible that the
> >  security team will bring in extra help from area maintainers to
> >  understand and fix the security vulnerability.
> >  
> > -Please send plain text emails without attachments where possible.
> > +Please send **plain text** emails without attachments where possible.
> 
> So maybe part of the confusion is that this sentence 
> can be read permissively, depending how the 'where 
> possible' qualifier is interpreted:
> 
>     Please send plain text emails without attachments, 
>     where possible.
> 
> Note how "it's not possible because my report is in 
> PDF" seems to allow for that in the permissive reading.
> 
> What that sentence should really say is something like:
> 
>    Please send plain text emails only. Please do not 
>    include any attachments, where possible.
> 
> This makes it clear that only plain text emails are 
> acceptable.

Well, honestly I don't think it *really* makes a difference.
Either the message is read, understood, and compatible with
the rules in place, or it is not. As you know, we're getting
regular reports as a password-protected ZIP and stuff like
this, and it's not changing because people follow the rules
in place. However those who quickly glance at the text above
might have been believing that markdown and HTML were plain
text. With the extra addition it clarifies this specific
point, and since most returning submitters try to improve on
their second submission after our feedback I think it will
help us deliver this "feedback" prior to their first message.

> Ie. something like the patch below?

I have nothing against it but I'm not convinced at all that
it brings any extra benefit over the first one. I'm fine with
both in fact.

Thanks,
Willy

Re: [PATCH] Documentation: insist on the plain-text requirement for security reports

[Kees Cook]

On November 29, 2025 6:17:41 AM PST, Willy Tarreau <w@1wt.eu> wrote:
>As the trend of AI-generated reports is growing, the trend of unreadable
>reports in gimmicky formats is following, and we cannot request that
>developers rely on online viewers to be able to read a security report
>full for formatting tags. Let's just insist on the plain text requirement
>a bit more.
>
>Signed-off-by: Willy Tarreau <w@1wt.eu>
>---
> Documentation/process/security-bugs.rst | 6 +++++-
> 1 file changed, 5 insertions(+), 1 deletion(-)
>
>diff --git a/Documentation/process/security-bugs.rst b/Documentation/process/security-bugs.rst
>index 84657e7d2e5b..c0cf93e11565 100644
>--- a/Documentation/process/security-bugs.rst
>+++ b/Documentation/process/security-bugs.rst
>@@ -33,12 +33,16 @@ that can speed up the process considerably.  It is possible that the
> security team will bring in extra help from area maintainers to
> understand and fix the security vulnerability.
> 
>-Please send plain text emails without attachments where possible.
>+Please send **plain text** emails without attachments where possible.
> It is much harder to have a context-quoted discussion about a complex
> issue if all the details are hidden away in attachments.  Think of it like a
> :doc:`regular patch submission <../process/submitting-patches>`
> (even if you don't have a patch yet): describe the problem and impact, list
> reproduction steps, and follow it with a proposed fix, all in plain text.
>+Markdown, HTML and RST formatted reports are particularly frowned upon since
>+they're quite hard to read for humans and encourage to use dedicated viewers,
>+sometimes online, which by definition is not acceptable for a confidential
>+security report.

HTML sure. But why discourage .md and .rst? Markdown is pretty well the defacto "human readable" markup format and our own kernel documentation is .rst. Those are good for seeing code snippets, etc.

I would call out PDF and ZIP instead. We especially don't want _binary_ formats.

-Kees


-- 
Kees Cook

Re: [PATCH] Documentation: insist on the plain-text requirement for security reports

[Willy Tarreau]

On Wed, Dec 03, 2025 at 06:40:38AM -0800, Kees Cook wrote:
> >+Markdown, HTML and RST formatted reports are particularly frowned upon since
> >+they're quite hard to read for humans and encourage to use dedicated viewers,
> >+sometimes online, which by definition is not acceptable for a confidential
> >+security report.
> 
> HTML sure. But why discourage .md and .rst? Markdown is pretty well the
> defacto "human readable" markup format and our own kernel documentation is
> .rst. Those are good for seeing code snippets, etc.

Quite frankly, have you tried to read the latest reports ? They're full
of "**" everywhere with no spacing nor indent at all, it's particularly
hard to find the relevant information in them. It's super tempting to
copy-paste them to the plenty of online viewers to render them correctly,
except we'd rather not do that for obvious reasons. And when you start
to discuss it gets even worse with ``` formating tags isolated between
quoted paragraphs and no longer being relevant.

And let's be honest, these ones are close to 100% of the time generated
by AI tools which are almost unable to produce anything else anymore by
default because that's what they're using to interact with the chatbot's
UI. If at least that forces those seeking a CVE number to actually *read*
what their favorite AI bot produced, it will be a huge gain for everyone.
Right now I'm really ashamed to forward AI-generated garbage to subsystem
maintainers just in case there would be anything valid despite the format
already strongly hinting otherwise.

> I would call out PDF and ZIP instead. We especially don't want _binary_
> formats.

IMHO we don't want useless nor hard-to-exploit reports in the first
place, and to date I don't remember seeing a really valid and
immediately actionable one using such decorations, since they were
not written by the reporters.

Willy