lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-Id: <20230305220010.20895-1-vegard.nossum@oracle.com>
Date:   Sun,  5 Mar 2023 23:00:03 +0100
From:   Vegard Nossum <vegard.nossum@...cle.com>
To:     Jonathan Corbet <corbet@....net>, linux-doc@...r.kernel.org,
        Jiri Kosina <jkosina@...e.cz>,
        Solar Designer <solar@...nwall.com>,
        Will Deacon <will@...nel.org>, Willy Tarreau <w@....eu>
Cc:     Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
        linux-kernel@...r.kernel.org, Amit Shah <aams@...zon.com>,
        Dave Hansen <dave.hansen@...ux.intel.com>,
        David Woodhouse <dwmw@...zon.co.uk>,
        "Gustavo A. R. Silva" <gustavoars@...nel.org>,
        Kees Cook <keescook@...omium.org>,
        Laura Abbott <labbott@...nel.org>,
        Linus Torvalds <torvalds@...ux-foundation.org>,
        Mauro Carvalho Chehab <mchehab@...nel.org>,
        Paolo Bonzini <pbonzini@...hat.com>,
        Peter Zijlstra <peterz@...radead.org>,
        Thomas Gleixner <tglx@...utronix.de>,
        Thorsten Leemhuis <linux@...mhuis.info>,
        Tyler Hicks <tyhicks@...ux.microsoft.com>,
        Vegard Nossum <vegard.nossum@...cle.com>
Subject: [PATCH v3 0/7] Documentation/security-bugs: overhaul

Hi,

This is v3 of clarifying our documentation for reporting security
issues.

The current document is not clear enough, in particular the process of
disclosure and requesting CVEs, and what the roles of the different
lists are and how exactly to report to each of them.

Lots of people have been confused about the 7/14 days of the kernel list
vs. the 7/14 days of the distros list, the fact that these are two
separate lists, etc. Many reporters contact distros first, or submit
their report to both lists at the same time (which has the unfortunate
effect of starting off the disclosure countdown for the distros list
before s@k.o has had a chance to look at the report). I've shared the v2
document with a couple of people who submitted reports and they said
they found it a lot clearer. 

Probably the easiest way to see the end result of this series is to view the
rendered HTML which I've put here:
https://vegard.github.io/security-v3/Documentation/output/process/security-bugs.html

oss-security discussion prompting the change:
https://www.openwall.com/lists/oss-security/2022/05/15/1

v1 submission:
https://lore.kernel.org/all/20220531230309.9290-1-vegard.nossum@oracle.com/

v2 submission:
https://lore.kernel.org/all/20220606194850.26122-1-vegard.nossum@oracle.com/

Changes:

v2: address feedback from Willy Tarreau and Jonathan Corbet

v3: move from admin-guide/ to process/; address feedback from Will
Deacon (including reverting back to some of the original phrasing);
split into multiple patches


Vegard

Vegard Nossum (7):
  Documentation/security-bugs: move from admin-guide/ to process/
  Documentation/security-bugs: misc. improvements
  Documentation/security-bugs: improve security list section
  Documentation/security-bugs: add linux-distros and oss-security
    sections
  Documentation/security-bugs: add table of lists
  Documentation/security-bugs: clarify hardware vs. software
    vulnerabilities
  Documentation/security-bugs: document document design

 Documentation/admin-guide/index.rst           |   1 -
 .../admin-guide/reporting-issues.rst          |   4 +-
 Documentation/admin-guide/security-bugs.rst   |  96 ----------
 Documentation/process/howto.rst               |   2 +-
 Documentation/process/index.rst               |   9 +-
 .../process/researcher-guidelines.rst         |   2 +-
 Documentation/process/security-bugs.rst       | 181 ++++++++++++++++++
 Documentation/process/stable-kernel-rules.rst |   2 +-
 Documentation/process/submitting-patches.rst  |   2 +-
 .../it_IT/admin-guide/security-bugs.rst       |   2 +-
 .../it_IT/process/submitting-patches.rst      |   2 +-
 Documentation/translations/ja_JP/howto.rst    |   2 +-
 Documentation/translations/ko_KR/howto.rst    |   2 +-
 Documentation/translations/sp_SP/howto.rst    |   2 +-
 .../sp_SP/process/submitting-patches.rst      |   2 +-
 .../zh_CN/admin-guide/security-bugs.rst       |   2 +-
 .../translations/zh_CN/process/howto.rst      |   2 +-
 .../zh_TW/admin-guide/security-bugs.rst       |   2 +-
 .../translations/zh_TW/process/howto.rst      |   2 +-
 MAINTAINERS                                   |   4 +-
 20 files changed, 207 insertions(+), 116 deletions(-)
 delete mode 100644 Documentation/admin-guide/security-bugs.rst
 create mode 100644 Documentation/process/security-bugs.rst

-- 
2.40.0.rc1.2.gd15644fe02

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ