Re: [PATCH v3 2/3] Documentation: security-bugs: explain what is and is not a security bug

[Greg KH <greg@kroah.com>]

On Sat, May 09, 2026 at 11:47:54AM +0200, Willy Tarreau wrote:
> The use of automated tools to find bugs in random locations of the kernel
> induces a raise of security reports even if most of them should just be
> reported as regular bugs. This patch is an attempt at drawing a line
> between what qualifies as a security bug and what does not, hoping to
> improve the situation and ease decision on the reporter's side.
> 
> It defers the enumeration to a new file, threat-model.rst, that tries
> to enumerate various classes of issues that are and are not security
> bugs. This should permit to more easily update this file for various
> subsystem-specific rules without having to revisit the security bug
> reporting guide.
> 
> Cc: Greg KH <gregkh@linuxfoundation.org>
> Cc: Leon Romanovsky <leon@kernel.org>
> Suggested-by: Leon Romanovsky <leon@kernel.org>
> Suggested-by: Greg KH <gregkh@linuxfoundation.org>
> Reviewed-by: Leon Romanovsky <leon@kernel.org>
> Reviewed-by: Shuah Khan <skhan@linuxfoundation.org>
> Signed-off-by: Willy Tarreau <w@1wt.eu>
> ---
>  Documentation/process/index.rst         |   1 +
>  Documentation/process/security-bugs.rst |  38 +++-
>  Documentation/process/threat-model.rst  | 236 ++++++++++++++++++++++++
>  3 files changed, 274 insertions(+), 1 deletion(-)
>  create mode 100644 Documentation/process/threat-model.rst

Looks great, thank you!

Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

Want me to take it through one of my trees now to get it to Linus this
week, or should it go through the documentation tree?  Either is fine
with me.

thanks,

greg k-h