lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Mon, 6 Mar 2023 07:08:37 +0100
From:   Greg Kroah-Hartman <gregkh@...uxfoundation.org>
To:     Vegard Nossum <vegard.nossum@...cle.com>
Cc:     Jonathan Corbet <corbet@....net>, linux-doc@...r.kernel.org,
        Jiri Kosina <jkosina@...e.cz>,
        Solar Designer <solar@...nwall.com>,
        Will Deacon <will@...nel.org>, Willy Tarreau <w@....eu>,
        linux-kernel@...r.kernel.org, Amit Shah <aams@...zon.com>,
        Dave Hansen <dave.hansen@...ux.intel.com>,
        David Woodhouse <dwmw@...zon.co.uk>,
        "Gustavo A. R. Silva" <gustavoars@...nel.org>,
        Kees Cook <keescook@...omium.org>,
        Laura Abbott <labbott@...nel.org>,
        Linus Torvalds <torvalds@...ux-foundation.org>,
        Mauro Carvalho Chehab <mchehab@...nel.org>,
        Paolo Bonzini <pbonzini@...hat.com>,
        Peter Zijlstra <peterz@...radead.org>,
        Thomas Gleixner <tglx@...utronix.de>,
        Thorsten Leemhuis <linux@...mhuis.info>,
        Tyler Hicks <tyhicks@...ux.microsoft.com>
Subject: Re: [PATCH v3 4/7] Documentation/security-bugs: add linux-distros
 and oss-security sections

On Sun, Mar 05, 2023 at 11:00:07PM +0100, Vegard Nossum wrote:
> The existing information about CVE assignment requests and coordinated
> disclosure fits much better in these new sections, since that's what these
> lists are for.
> 
> Keep just a reminder in the security list section.
> 
> Signed-off-by: Vegard Nossum <vegard.nossum@...cle.com>
> ---
>  Documentation/process/security-bugs.rst | 92 ++++++++++++++++++-------
>  1 file changed, 67 insertions(+), 25 deletions(-)
> 
> diff --git a/Documentation/process/security-bugs.rst b/Documentation/process/security-bugs.rst
> index fb156d146c42..2dd6569a7abb 100644
> --- a/Documentation/process/security-bugs.rst
> +++ b/Documentation/process/security-bugs.rst
> @@ -31,6 +31,10 @@ be released without consent from the reporter unless it has already been
>  made public.  Reporters are encouraged to propose patches, participate in the
>  discussions of a fix, and test patches.
>  
> +The security team does not assign CVEs, nor does it require them for reports
> +or fixes.  CVEs may be requested when the issue is reported to the
> +linux-distros list.

Note, this kind of implies that the security team would be the one whom
you request a CVE from.  We can't do that, nor do we ever even want to
deal with that for obvious reasons.  Also, who is to say that CVEs are
even anything anyone should be messing with in the first place given how
much they are abused and irrelevant most of the time?

So I would just keep a big "The kernel developer community does not deal
with CVEs at all.  If you want one for your résumé/CV, please contact
MITRE directly at your own risk." type of warning in the document and
leave it at that.

thanks,

greg k-h

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ