diff options
| author |   Willy Tarreau <w@1wt.eu> | 2025-08-14 21:27:29 +0200 |
|---|---|---|
| committer |   Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2025-08-17 12:23:28 +0200 |
| commit | d49172bbd7eb07e4ba5e52238eaa9caf692c1cea (patch) | |
| tree | ca7dd9ec62147a34cb368767af35dbd2897c1a8b | |
| parent | debugfs: fix mount options not being applied (diff) | |
| download | wireguard-linux-d49172bbd7eb07e4ba5e52238eaa9caf692c1cea.tar.xz wireguard-linux-d49172bbd7eb07e4ba5e52238eaa9caf692c1cea.zip | |
Documentation: clarify the expected collaboration with security bugs reporters
Some bug reports sent to the security team sometimes lack any explanation,
are only AI-generated without verification, or sometimes it can simply be
difficult to have a conversation with an invisible reporter belonging to
an opaque team. This fortunately remains rare but the trend has been
steadily increasing over the last years and it seems important to clarify
what developers expect from reporters to avoid frustration on any side and
keep the process efficient.
Signed-off-by: Willy Tarreau <w@1wt.eu>
Reviewed-by: Kees Cook <kees@kernel.org>
Link: https://lore.kernel.org/r/20250814192730.19252-1-w@1wt.eu
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
| -rw-r--r-- | Documentation/process/security-bugs.rst | 10 |
1 files changed, 10 insertions, 0 deletions
diff --git a/Documentation/process/security-bugs.rst b/Documentation/process/security-bugs.rst index 56c560a00b37..7dcc034d3df8 100644 --- a/Documentation/process/security-bugs.rst +++ b/Documentation/process/security-bugs.rst @@ -19,6 +19,16 @@ that can speed up the process considerably. It is possible that the security team will bring in extra help from area maintainers to understand and fix the security vulnerability. +The security team and maintainers almost always require additional +information beyond what was initially provided in a report and rely on +active and efficient collaboration with the reporter to perform further +testing (e.g., verifying versions, configuration options, mitigations, or +patches). Before contacting the security team, the reporter must ensure +they are available to explain their findings, engage in discussions, and +run additional tests. Reports where the reporter does not respond promptly +or cannot effectively discuss their findings may be abandoned if the +communication does not quickly improve. + As it is with any bug, the more information provided the easier it will be to diagnose and fix. Please review the procedure outlined in 'Documentation/admin-guide/reporting-issues.rst' if you are unclear about what |