From: Randy Dunlap <rdunlap@infradead.org>
To: Willy Tarreau <w@1wt.eu>, greg@kroah.com
Cc: edumazet@google.com, Jonathan Corbet <corbet@lwn.net>,
skhan@linuxfoundation.org, workflows@vger.kernel.org,
linux-doc@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: Re: [PATCH 3/3] Documentation: clarify the mandatory and desirable info for security reports
Date: Thu, 2 Apr 2026 11:50:00 -0700 [thread overview]
Message-ID: <18127458-1951-4b44-bcbb-a5747a3b4b6b@infradead.org> (raw)
In-Reply-To: <20260402182655.8636-4-w@1wt.eu>
On 4/2/26 11:26 AM, Willy Tarreau wrote:
> A significant part of the effort of the security team consists in begging
> reporters for patch proposals, or asking them to provide them in regular
> format, and most of the time they're willing to provide this, they just
> didn't know that it would help. So let's add a section detailing the
> required and desirable contents in a security report to help reporters
> write more actionable reports which do not require round trips.
>
> Cc: Eric Dumazet <edumazet@google.com>
> Cc: Greg KH <greg@kroah.com>
> Signed-off-by: Willy Tarreau <w@1wt.eu>
> ---
> Documentation/process/security-bugs.rst | 66 ++++++++++++++++++++++---
> 1 file changed, 59 insertions(+), 7 deletions(-)
>
> diff --git a/Documentation/process/security-bugs.rst b/Documentation/process/security-bugs.rst
> index 6937fa9fba5a..b243ac24eb12 100644
> --- a/Documentation/process/security-bugs.rst
> +++ b/Documentation/process/security-bugs.rst
> @@ -7,6 +7,65 @@ Linux kernel developers take security very seriously. As such, we'd
> like to know when a security bug is found so that it can be fixed and
> disclosed as quickly as possible.
>
> +Preparing your report
> +---------------------
> +
> +Like with any bug report, a security bug report requires a lot of analysis work
> +from the developers, so the more information you can share about the issue, the
> +better. Please review the procedure outlined in
> +'Documentation/admin-guide/reporting-issues.rst' if you are unclear about what
Drop the single quote marks.
> +information is helpful. The following information are absolutely necessary in
> +**any** security bug report:
> +
> + * **affected kernel version range**: with no version indication, your report
> + will not be processed. A significant part of reports are for bugs that
> + have already been fixed, so it is extremely important that vulnerabilities
> + are verified on recent versions (development tree or latest stable
> + version), at least by verifying that the code has not changed since the
> + version where it was detected.
> +
> + * **description of the problem**: a detailed description of the problem, with
> + traces showing its manifestation, and why you consider that the observed
> + behavior as a problem in the kernel, is necessary.
> +
> + * **reproducer**: developers will need to be able to reproduce the problem to
> + consider a fix as effective. This includes both a way to trigger the issue
> + and a way to confirm it happens. A reproducer with low complexity
> + dependencies will be needed (source code, shell script, sequence of
> + instructions, file-system image etc). Binary-only executables are not
> + accepted. Working exploits are extremely helpful and will not be released
> + without consent from the reporter, unless they are already public. By
> + definition if an issue cannot be reproduced, it is not exploitable, thus it
> + is not a security bug.
> +
> + * **conditions**: if the bug depends on certain configuration options,
> + sysctls, permissions, timing, code modifications etc, these should be
> + indicated.
> +
> +In addition, the following information are highly desirable:
> +
> + * **suspected location of the bug**: the file names and functions where the
> + bug is suspected to be present are very important, at least to help forward
> + the report to the appropriate maintainers. When not possible (for example,
> + "system freezes each time I run this command"), the security team will help
> + identify the source of the bug.
> +
> + * **a proposed fix**: bug reporters who have analyzed the cause of a bug in
> + the source code almost always have an accurate idea on how to fix it,
> + because they spent a long time studying it and its implications. Proposing
> + a tested fix will save maintainers a lot of time, even if the fix ends up
> + not being the right one, because it helps understand the bug. When
> + proposing a tested fix, please always format it in a way that can be
> + immediately merged (see :doc:`regular patch submission
> + <../process/submitting-patches>`). This will save some back-and-forth
Hm, I don't see anything in submitting-patches.rst called "regular patch submission".
Is it in some other patch?
> + exchanges if it is accepted, and you will be credited for finding and
> + fixing this issue. Note that in this case only a ``Signed-off-by:`` tag is
> + needed, without ``Reported-by:` when the reporter and author are the same.
--
~Randy
next prev parent reply other threads:[~2026-04-02 18:50 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-02 18:26 [PATCH 0/3] Documentation: clarify required info in " Willy Tarreau
2026-04-02 18:26 ` [PATCH 1/3] Documentation: minor updates to the security contacts Willy Tarreau
2026-04-02 18:26 ` [PATCH 2/3] Documentation: explain how to find maintainers addresses for security reports Willy Tarreau
2026-04-02 18:42 ` Randy Dunlap
2026-04-02 19:05 ` Willy Tarreau
2026-04-02 18:26 ` [PATCH 3/3] Documentation: clarify the mandatory and desirable info " Willy Tarreau
2026-04-02 18:50 ` Randy Dunlap [this message]
2026-04-02 19:03 ` Willy Tarreau
2026-04-02 19:17 ` Randy Dunlap
2026-04-02 19:20 ` Willy Tarreau
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=18127458-1951-4b44-bcbb-a5747a3b4b6b@infradead.org \
--to=rdunlap@infradead.org \
--cc=corbet@lwn.net \
--cc=edumazet@google.com \
--cc=greg@kroah.com \
--cc=linux-doc@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=skhan@linuxfoundation.org \
--cc=w@1wt.eu \
--cc=workflows@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox