|
|
@@ -14,14 +14,17 @@ Contact
|
|
|
The Linux kernel security team can be contacted by email at
|
|
|
<security@kernel.org>. This is a private list of security officers
|
|
|
who will help verify the bug report and develop and release a fix.
|
|
|
-It is possible that the security team will bring in extra help from
|
|
|
-area maintainers to understand and fix the security vulnerability.
|
|
|
+If you already have a fix, please include it with your report, as
|
|
|
+that can speed up the process considerably. It is possible that the
|
|
|
+security team will bring in extra help from area maintainers to
|
|
|
+understand and fix the security vulnerability.
|
|
|
|
|
|
As it is with any bug, the more information provided the easier it
|
|
|
will be to diagnose and fix. Please review the procedure outlined in
|
|
|
-admin-guide/reporting-bugs.rst if you are unclear about what information is helpful.
|
|
|
-Any exploit code is very helpful and will not be released without
|
|
|
-consent from the reporter unless it has already been made public.
|
|
|
+admin-guide/reporting-bugs.rst if you are unclear about what
|
|
|
+information is helpful. Any exploit code is very helpful and will not
|
|
|
+be released without consent from the reporter unless it has already been
|
|
|
+made public.
|
|
|
|
|
|
Disclosure
|
|
|
----------
|
|
|
@@ -39,6 +42,32 @@ disclosure is from immediate (esp. if it's already publicly known)
|
|
|
to a few weeks. As a basic default policy, we expect report date to
|
|
|
disclosure date to be on the order of 7 days.
|
|
|
|
|
|
+Coordination
|
|
|
+------------
|
|
|
+
|
|
|
+Fixes for sensitive bugs, such as those that might lead to privilege
|
|
|
+escalations, may need to be coordinated with the private
|
|
|
+<linux-distros@vs.openwall.org> mailing list so that distribution vendors
|
|
|
+are well prepared to issue a fixed kernel upon public disclosure of the
|
|
|
+upstream fix. Distros will need some time to test the proposed patch and
|
|
|
+will generally request at least a few days of embargo, and vendor update
|
|
|
+publication prefers to happen Tuesday through Thursday. When appropriate,
|
|
|
+the security team can assist with this coordination, or the reporter can
|
|
|
+include linux-distros from the start. In this case, remember to prefix
|
|
|
+the email Subject line with "[vs]" as described in the linux-distros wiki:
|
|
|
+<http://oss-security.openwall.org/wiki/mailing-lists/distros#how-to-use-the-lists>
|
|
|
+
|
|
|
+CVE assignment
|
|
|
+--------------
|
|
|
+
|
|
|
+The security team does not normally assign CVEs, nor do we require them
|
|
|
+for reports or fixes, as this can needlessly complicate the process and
|
|
|
+may delay the bug handling. If a reporter wishes to have a CVE identifier
|
|
|
+assigned ahead of public disclosure, they will need to contact the private
|
|
|
+linux-distros list, described above. When such a CVE identifier is known
|
|
|
+before a patch is provided, it is desirable to mention it in the commit
|
|
|
+message, though.
|
|
|
+
|
|
|
Non-disclosure agreements
|
|
|
-------------------------
|
|
|
|
Kees Cook