Re: [PATCH v3 3/3] Documentation: security-bugs: clarify requirements for AI-assisted reports

[Jonathan Corbet <corbet@lwn.net>]

Jonathan Corbet <corbet@lwn.net> writes:

> Willy Tarreau <w@1wt.eu> writes:
>
>> On Wed, May 13, 2026 at 12:30:10PM +0200, Greg KH wrote:
>>> > One nit:
>>> > 
>>> > > +  * **Impact Evaluation**: Many AI-generated reports lack an understanding of
>>> > > +    the kernel's threat model and go to great lengths inventing theoretical
>>> > > +    consequences.
>>> > 
>>> > If only we had a shiny new document describing that threat model that we
>>> > could reference here... :)
>>> 
>>> Ah yes, a link to that would make things better, but don't we have that
>>> elsewhere in this series?
>>
>> It's in the same patch, I think Jon was sarcastic here. I thought I had
>> addressed that one but apparently I was wrong :-/
>
> I'm just saying that this particular text should link to that document,
> don't make readers go searching for it.  I can certainly add a patch
> doing that if you like.

I was thinking something like this.

jon

From 3f02a3c190bab6b54e2a250ead0c7408af1a3c51 Mon Sep 17 00:00:00 2001
From: Jonathan Corbet <corbet@lwn.net>
Date: Wed, 13 May 2026 14:51:29 -0600
Subject: [PATCH 1/2] docs: security-bugs: add a link to the threat-model
 documentation

Rather than make readers search for this document, just a link to it where
it is referenced.

(While I was at it, I removed the unused and unneeded _threatmodel label
from the top of threat-model.rst).

Signed-off-by: Jonathan Corbet <corbet@lwn.net>
---
 Documentation/process/security-bugs.rst | 13 +++++++------
 Documentation/process/threat-model.rst  |  2 --
 2 files changed, 7 insertions(+), 8 deletions(-)

diff --git a/Documentation/process/security-bugs.rst b/Documentation/process/security-bugs.rst
index f85c65f31f12f..3c51ddde31dd9 100644
--- a/Documentation/process/security-bugs.rst
+++ b/Documentation/process/security-bugs.rst
@@ -191,12 +191,13 @@ handle:
     Please **always convert your report to plain text** without any formatting
     decorations before sending it.
 
-  * **Impact Evaluation**: Many AI-generated reports lack an understanding of
-    the kernel's threat model and go to great lengths inventing theoretical
-    consequences. This adds noise and complicates triage. Please stick to
-    verifiable facts (e.g., "this bug permits any user to gain CAP_NET_ADMIN")
-    without enumerating speculative implications. Have your tool read this
-    documentation as part of the evaluation process.
+  * **Impact Evaluation**: Many AI-generated reports lack an understanding
+    of the kernel's threat model (see Documentation/process/threat-model.rst)
+    and go to great lengths inventing theoretical consequences. This adds
+    noise and complicates triage. Please stick to verifiable facts (e.g.,
+    "this bug permits any user to gain CAP_NET_ADMIN") without enumerating
+    speculative implications. Have your tool read this documentation as
+    part of the evaluation process.
 
   * **Reproducer**: AI-based tools are often capable of generating reproducers.
     Please always ensure your tool provides one and **test it thoroughly**. If
diff --git a/Documentation/process/threat-model.rst b/Documentation/process/threat-model.rst
index ecb432390e792..91da52f7114fd 100644
--- a/Documentation/process/threat-model.rst
+++ b/Documentation/process/threat-model.rst
@@ -1,5 +1,3 @@
-.. _threatmodel:
-
 The Linux Kernel threat model
 =============================
 
-- 
2.53.0