[PATCH 1/2] Documentation: clarify the expected collaboration with security bugs reporters

[PATCH 1/2] Documentation: clarify the expected collaboration with security bugs reporters

[Willy Tarreau]

Some bug reports sent to the security team sometimes lack any explanation,
are only AI-generated without verification, or sometimes it can simply be
difficult to have a conversation with an invisible reporter belonging to
an opaque team. This fortunately remains rare but the trend has been
steadily increasing over the last years and it seems important to clarify
what developers expect from reporters to avoid frustration on any side and
keep the process efficient.

Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Willy Tarreau <w@1wt.eu>
---
 Documentation/process/security-bugs.rst | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/Documentation/process/security-bugs.rst b/Documentation/process/security-bugs.rst
index 56c560a00b37a..7dcc034d3df8e 100644
--- a/Documentation/process/security-bugs.rst
+++ b/Documentation/process/security-bugs.rst
@@ -19,6 +19,16 @@ that can speed up the process considerably.  It is possible that the
 security team will bring in extra help from area maintainers to
 understand and fix the security vulnerability.
 
+The security team and maintainers almost always require additional
+information beyond what was initially provided in a report and rely on
+active and efficient collaboration with the reporter to perform further
+testing (e.g., verifying versions, configuration options, mitigations, or
+patches). Before contacting the security team, the reporter must ensure
+they are available to explain their findings, engage in discussions, and
+run additional tests.  Reports where the reporter does not respond promptly
+or cannot effectively discuss their findings may be abandoned if the
+communication does not quickly improve.
+
 As it is with any bug, the more information provided the easier it
 will be to diagnose and fix.  Please review the procedure outlined in
 'Documentation/admin-guide/reporting-issues.rst' if you are unclear about what
-- 
2.17.5

[PATCH 2/2] Documentation: smooth the text flow in the security bug reporting process

[Willy Tarreau]

The text was presenting the team, the the e-mail address, then some of
the expectations, then what form of e-mail is expected. By switching
the e-mail paragraph two paragraphs later and dropping the "Contact"
sub-section, we can have a more natural flow that presents the team,
then its expectation, then how to best contribute, then where to send.

And more importantly, it increases the chances that reporters have read
the prerequisites before finding the e-mail address.

Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Willy Tarreau <w@1wt.eu>
---
 Documentation/process/security-bugs.rst | 19 ++++++++-----------
 1 file changed, 8 insertions(+), 11 deletions(-)

diff --git a/Documentation/process/security-bugs.rst b/Documentation/process/security-bugs.rst
index 7dcc034d3df8e..84657e7d2e5b4 100644
--- a/Documentation/process/security-bugs.rst
+++ b/Documentation/process/security-bugs.rst
@@ -8,17 +8,6 @@ like to know when a security bug is found so that it can be fixed and
 disclosed as quickly as possible.  Please report security bugs to the
 Linux kernel security team.
 
-Contact
--------
-
-The Linux kernel security team can be contacted by email at
-<security@kernel.org>.  This is a private list of security officers
-who will help verify the bug report and develop and release a fix.
-If you already have a fix, please include it with your report, as
-that can speed up the process considerably.  It is possible that the
-security team will bring in extra help from area maintainers to
-understand and fix the security vulnerability.
-
 The security team and maintainers almost always require additional
 information beyond what was initially provided in a report and rely on
 active and efficient collaboration with the reporter to perform further
@@ -36,6 +25,14 @@ information is helpful.  Any exploit code is very helpful and will not
 be released without consent from the reporter unless it has already been
 made public.
 
+The Linux kernel security team can be contacted by email at
+<security@kernel.org>.  This is a private list of security officers
+who will help verify the bug report and develop and release a fix.
+If you already have a fix, please include it with your report, as
+that can speed up the process considerably.  It is possible that the
+security team will bring in extra help from area maintainers to
+understand and fix the security vulnerability.
+
 Please send plain text emails without attachments where possible.
 It is much harder to have a context-quoted discussion about a complex
 issue if all the details are hidden away in attachments.  Think of it like a
-- 
2.17.5

Re: [PATCH 1/2] Documentation: clarify the expected collaboration with security bugs reporters

[Kees Cook]

On Thu, Aug 14, 2025 at 09:27:29PM +0200, Willy Tarreau wrote:
> Some bug reports sent to the security team sometimes lack any explanation,
> are only AI-generated without verification, or sometimes it can simply be
> difficult to have a conversation with an invisible reporter belonging to
> an opaque team. This fortunately remains rare but the trend has been
> steadily increasing over the last years and it seems important to clarify
> what developers expect from reporters to avoid frustration on any side and
> keep the process efficient.
> 
> Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
> Signed-off-by: Willy Tarreau <w@1wt.eu>

Reviewed-by: Kees Cook <kees@kernel.org>

-- 
Kees Cook

Re: [PATCH 2/2] Documentation: smooth the text flow in the security bug reporting process

[Kees Cook]

On Thu, Aug 14, 2025 at 09:27:30PM +0200, Willy Tarreau wrote:
> The text was presenting the team, the the e-mail address, then some of
> the expectations, then what form of e-mail is expected. By switching
> the e-mail paragraph two paragraphs later and dropping the "Contact"
> sub-section, we can have a more natural flow that presents the team,
> then its expectation, then how to best contribute, then where to send.
> 
> And more importantly, it increases the chances that reporters have read
> the prerequisites before finding the e-mail address.
> 
> Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
> Signed-off-by: Willy Tarreau <w@1wt.eu>

Reviewed-by: Kees Cook <kees@kernel.org>

-- 
Kees Cook

Re: [PATCH 1/2] Documentation: clarify the expected collaboration with security bugs reporters

[Greg Kroah-Hartman]

On Thu, Aug 14, 2025 at 09:27:29PM +0200, Willy Tarreau wrote:
> Some bug reports sent to the security team sometimes lack any explanation,
> are only AI-generated without verification, or sometimes it can simply be
> difficult to have a conversation with an invisible reporter belonging to
> an opaque team. This fortunately remains rare but the trend has been
> steadily increasing over the last years and it seems important to clarify
> what developers expect from reporters to avoid frustration on any side and
> keep the process efficient.
> 
> Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
> Signed-off-by: Willy Tarreau <w@1wt.eu>
> ---
>  Documentation/process/security-bugs.rst | 10 ++++++++++
>  1 file changed, 10 insertions(+)

Both of these look good to me, thanks!  I'll queue them up after the
next -rc is out.

greg k-h