On Thu, 4 Jun 2026 at 17:51, Daniel P. Berrangé <[email protected]> wrote: > > A while back we added a requirement to declare the use of any > automated tooling used in discover of security issues, and set > a rule that the reporter must perform triage before submission > rather than blindly reporting issues. This applies equally > well to normal issue reporting, so copy it over from the > security process guidance. > > Signed-off-by: Daniel P. Berrangé <[email protected]> > --- > contribute/report-a-bug.md | 7 +++++++ > 1 file changed, 7 insertions(+) > > diff --git a/contribute/report-a-bug.md b/contribute/report-a-bug.md > index 6071837..fd3bc6b 100644 > --- a/contribute/report-a-bug.md > +++ b/contribute/report-a-bug.md > @@ -20,6 +20,13 @@ on GitLab, taking into account the following guidance. > to the vendor's own bug tracker instead, or reproduced with > an upstream QEMU build prior to submission. > > +* If any automated tools (AI/LLM based, traditional static > + analysis, or fuzzers) were used to discover the issue, the > + reporter is required to declare this at the start of the > + bug report. Users of such tools are required to perform > + triage of their output to validate all findings and reproducer > + scenarios prior to submitting a bug report. > + > * Reproduce the problem directly with a QEMU command-line. Avoid > frontends and management stacks, to ensure that the bug is in > QEMU itself and not in a frontend and make it easier for
Reviewed-by: Peter Maydell <[email protected]> thanks -- PMM
