On Wed, May 13, 2026 at 03:02:08PM -0600, Jonathan Corbet wrote: > Jonathan Corbet <[email protected]> writes: > > > Willy Tarreau <[email protected]> writes: > > > >> On Wed, May 13, 2026 at 12:30:10PM +0200, Greg KH wrote: > >>> > One nit: > >>> > > >>> > > + * **Impact Evaluation**: Many AI-generated reports lack an > >>> > > understanding of > >>> > > + the kernel's threat model and go to great lengths inventing > >>> > > theoretical > >>> > > + consequences. > >>> > > >>> > If only we had a shiny new document describing that threat model that we > >>> > could reference here... :) > >>> > >>> Ah yes, a link to that would make things better, but don't we have that > >>> elsewhere in this series? > >> > >> It's in the same patch, I think Jon was sarcastic here. I thought I had > >> addressed that one but apparently I was wrong :-/ > > > > I'm just saying that this particular text should link to that document, > > don't make readers go searching for it. I can certainly add a patch > > doing that if you like. > > I was thinking something like this. > jon
Indeed, looks good like this as it won't hide the file name from the link. In case you'd want it: Acked-by: Willy Tarreau <[email protected]> Thank you! Willy > >From 3f02a3c190bab6b54e2a250ead0c7408af1a3c51 Mon Sep 17 00:00:00 2001 > From: Jonathan Corbet <[email protected]> > Date: Wed, 13 May 2026 14:51:29 -0600 > Subject: [PATCH 1/2] docs: security-bugs: add a link to the threat-model > documentation > > Rather than make readers search for this document, just a link to it where > it is referenced. > > (While I was at it, I removed the unused and unneeded _threatmodel label > from the top of threat-model.rst). > > Signed-off-by: Jonathan Corbet <[email protected]> > --- > Documentation/process/security-bugs.rst | 13 +++++++------ > Documentation/process/threat-model.rst | 2 -- > 2 files changed, 7 insertions(+), 8 deletions(-) > > diff --git a/Documentation/process/security-bugs.rst > b/Documentation/process/security-bugs.rst > index f85c65f31f12f..3c51ddde31dd9 100644 > --- a/Documentation/process/security-bugs.rst > +++ b/Documentation/process/security-bugs.rst > @@ -191,12 +191,13 @@ handle: > Please **always convert your report to plain text** without any > formatting > decorations before sending it. > > - * **Impact Evaluation**: Many AI-generated reports lack an understanding of > - the kernel's threat model and go to great lengths inventing theoretical > - consequences. This adds noise and complicates triage. Please stick to > - verifiable facts (e.g., "this bug permits any user to gain > CAP_NET_ADMIN") > - without enumerating speculative implications. Have your tool read this > - documentation as part of the evaluation process. > + * **Impact Evaluation**: Many AI-generated reports lack an understanding > + of the kernel's threat model (see Documentation/process/threat-model.rst) > + and go to great lengths inventing theoretical consequences. This adds > + noise and complicates triage. Please stick to verifiable facts (e.g., > + "this bug permits any user to gain CAP_NET_ADMIN") without enumerating > + speculative implications. Have your tool read this documentation as > + part of the evaluation process. > > * **Reproducer**: AI-based tools are often capable of generating > reproducers. > Please always ensure your tool provides one and **test it thoroughly**. > If > diff --git a/Documentation/process/threat-model.rst > b/Documentation/process/threat-model.rst > index ecb432390e792..91da52f7114fd 100644 > --- a/Documentation/process/threat-model.rst > +++ b/Documentation/process/threat-model.rst > @@ -1,5 +1,3 @@ > -.. _threatmodel: > - > The Linux Kernel threat model > ============================= > > -- > 2.53.0 >
