On 5/9/26 03:47, Willy Tarreau wrote:
The use of automated tools to find bugs in random locations of the kernel
induces a raise of security reports even if most of them should just be
reported as regular bugs. This patch is an attempt at drawing a line
between what qualifies as a security bug and what does not, hoping to
improve the situation and ease decision on the reporter's side.
It defers the enumeration to a new file, threat-model.rst, that tries
to enumerate various classes of issues that are and are not security
bugs. This should permit to more easily update this file for various
subsystem-specific rules without having to revisit the security bug
reporting guide.
Cc: Greg KH <[email protected]>
Cc: Leon Romanovsky <[email protected]>
Suggested-by: Leon Romanovsky <[email protected]>
Suggested-by: Greg KH <[email protected]>
Reviewed-by: Leon Romanovsky <[email protected]>
Reviewed-by: Shuah Khan <[email protected]>
Signed-off-by: Willy Tarreau <[email protected]>
---
Documentation/process/index.rst | 1 +
Documentation/process/security-bugs.rst | 38 +++-
Documentation/process/threat-model.rst | 236 ++++++++++++++++++++++++
3 files changed, 274 insertions(+), 1 deletion(-)
create mode 100644 Documentation/process/threat-model.rst
Looks good to me.
thanks,
-- Shuah
