Documentation: security-bugs.rst: update preferences when dealing with the linux-distros group

Because the linux-distros group forces reporters to release information about reported bugs, and they impose arbitrary deadlines in having those bugs fixed despite not actually being kernel developers, the kernel security team recommends not interacting with them at all as this just causes confusion and the early-release of reported security problems. Reviewed-by: Kees Cook <keescook@chromium.org> Link: https://lore.kernel.org/r/2023063020-throat-pantyhose-f110@gregkhSigned-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

Documentation: security-bugs.rst: update preferences when dealing with the linux-distros group
Because the linux-distros group forces reporters to release information about reported bugs, and they impose arbitrary deadlines in having those bugs fixed despite not actually being kernel developers, the kernel security team recommends not interacting with them at all as this just causes confusion and the early-release of reported security problems. Reviewed-by: Kees Cook <keescook@chromium.org> Link: https://lore.kernel.org/r/2023063020-throat-pantyhose-f110@gregkhSigned-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
4fee0915 · Greg Kroah-Hartman · fdf0eaf1 · 4fee0915
Commit 4fee0915 authored Jun 30, 2023 by Greg Kroah-Hartman
Hide whitespace changes
Inline Side-by-side

Showing with 12 additions and 14 deletions

Documentation/process/security-bugs.rst Documentation/process/security-bugs.rst +12 -14

No files found.
--- a/Documentation/process/security-bugs.rst
+++ b/Documentation/process/security-bugs.rst
@@ -63,20 +63,18 @@ information submitted to the security list and any followup discussions
 of the report are treated confidentially even after the embargo has been
 lifted, in perpetuity.
-Coordination
+Coordination with other groups
------------
+------------------------------
-Fixes for sensitive bugs, such as those that might lead to privilege
+The kernel security team strongly recommends that reporters of potential
-escalations, may need to be coordinated with the private
+security issues NEVER contact the "linux-distros" mailing list until
-<linux-distros@vs.openwall.org> mailing list so that distribution vendors
+AFTER discussing it with the kernel security team.  Do not Cc: both
-are well prepared to issue a fixed kernel upon public disclosure of the
+lists at once.  You may contact the linux-distros mailing list after a
-upstream fix. Distros will need some time to test the proposed patch and
+fix has been agreed on and you fully understand the requirements that
-will generally request at least a few days of embargo, and vendor update
+doing so will impose on you and the kernel community.
-publication prefers to happen Tuesday through Thursday. When appropriate,
-the security team can assist with this coordination, or the reporter can
+The different lists have different goals and the linux-distros rules do
-include linux-distros from the start. In this case, remember to prefix
+not contribute to actually fixing any potential security problems.
-the email Subject line with "[vs]" as described in the linux-distros wiki:
-<http://oss-security.openwall.org/wiki/mailing-lists/distros#how-to-use-the-lists>
 CVE assignment
 --------------