This series tries to translate recent discussions on the security list
on how to better handle reports. It details:
- when not to Cc: the security list
- what classes of bugs do not need to be handled privately
- minimum requirements for AI-assisted reports
As usual, this is probably perfectible but can already help in the short
term as we can point it to reporters, so barring any strong disagreement,
better continue to proceed in small incremental improvements and observe
the effects.
Thanks!
Willy
---
v3:
- comments about choice of words and option enumeration from Shuah
- AI is public, from Linus and Greg
- added extra reviewed-by (Greg, Shuah).
- Leon, I kept your reviewed-by since changes are very minimal and
didn't change the initial spirit.
v2:
- fixes for issues reported by Randy
- Greg's ack on the AI part
- reworded the "when to Cc" part based on Greg's feedback
(Greg I didn't take your original ack since the wording changed)
- split the threat model into its own document as per Greg's suggestion
---
Willy Tarreau (3):
Documentation: security-bugs: do not systematically Cc the security
team
Documentation: security-bugs: explain what is and is not a security
bug
Documentation: security-bugs: clarify requirements for AI-assisted
reports
Documentation/process/index.rst | 1 +
Documentation/process/security-bugs.rst | 105 ++++++++++-
Documentation/process/threat-model.rst | 236 ++++++++++++++++++++++++
3 files changed, 340 insertions(+), 2 deletions(-)
create mode 100644 Documentation/process/threat-model.rst
--
2.52.0
