forked from ~ljy/RK356X_SDK_RELEASE

blame | history | patch | commit | commitdiff
hc
2024-10-12 a5969cabbb4660eab42b6ef0412cbbd1200cf14d 
 kernel/Documentation/admin-guide/security-bugs.rst
....@@ -63,31 +63,28 @@
6363 of the report are treated confidentially even after the embargo has been
6464 lifted, in perpetuity.
6565 
66
-Coordination
67
-------------
66
+Coordination with other groups
67
+------------------------------
6868 
69
-Fixes for sensitive bugs, such as those that might lead to privilege
70
-escalations, may need to be coordinated with the private
71
-<linux-distros@vs.openwall.org> mailing list so that distribution vendors
72
-are well prepared to issue a fixed kernel upon public disclosure of the
73
-upstream fix. Distros will need some time to test the proposed patch and
74
-will generally request at least a few days of embargo, and vendor update
75
-publication prefers to happen Tuesday through Thursday. When appropriate,
76
-the security team can assist with this coordination, or the reporter can
77
-include linux-distros from the start. In this case, remember to prefix
78
-the email Subject line with "[vs]" as described in the linux-distros wiki:
79
-<http://oss-security.openwall.org/wiki/mailing-lists/distros#how-to-use-the-lists>
69
+The kernel security team strongly recommends that reporters of potential
70
+security issues NEVER contact the "linux-distros" mailing list until
71
+AFTER discussing it with the kernel security team.  Do not Cc: both
72
+lists at once.  You may contact the linux-distros mailing list after a
73
+fix has been agreed on and you fully understand the requirements that
74
+doing so will impose on you and the kernel community.
75
+
76
+The different lists have different goals and the linux-distros rules do
77
+not contribute to actually fixing any potential security problems.
8078 
8179 CVE assignment
8280 --------------
8381 
84
-The security team does not normally assign CVEs, nor do we require them
85
-for reports or fixes, as this can needlessly complicate the process and
86
-may delay the bug handling. If a reporter wishes to have a CVE identifier
87
-assigned ahead of public disclosure, they will need to contact the private
88
-linux-distros list, described above. When such a CVE identifier is known
89
-before a patch is provided, it is desirable to mention it in the commit
90
-message if the reporter agrees.
82
+The security team does not assign CVEs, nor do we require them for
83
+reports or fixes, as this can needlessly complicate the process and may
84
+delay the bug handling.  If a reporter wishes to have a CVE identifier
85
+assigned, they should find one by themselves, for example by contacting
86
+MITRE directly.  However under no circumstances will a patch inclusion
87
+be delayed to wait for a CVE identifier to arrive.
9188 
9289 Non-disclosure agreements
9390 -------------------------