| Message ID | 20210125015736.7555-1-yong.liu@intel.com (mailing list archive) |
|---|---|
| State | New |
| Delegated to: | Thomas Monjalon |
| Headers | show |
| Series | doc: clarify disclosure time slot when no response | expand |
| Context | Check | Description |
|---|---|---|
| ci/intel-Testing | success | Testing PASS |
| ci/Intel-compilation | success | Compilation OK |
| ci/checkpatch | success | coding style OK |
On 1/25/2021 1:57 AM, Marvin Liu wrote: > Sometimes security team won't send confirmation mail back to reporter > in three business days. This mean reported vulnerability is either low > severity or not a real vulnerability. Reporter should assume that the > issue need shortest embargo. After that reporter can submit it through > normal bugzilla process or send out fix patch to public. > > Signed-off-by: Marvin Liu <yong.liu@intel.com> > Signed-off-by: Qian Xu <qian.q.xu@intel.com> > > diff --git a/doc/guides/contributing/vulnerability.rst b/doc/guides/contributing/vulnerability.rst > index b6300252ad..cda814fa69 100644 > --- a/doc/guides/contributing/vulnerability.rst > +++ b/doc/guides/contributing/vulnerability.rst > @@ -99,6 +99,11 @@ Following information must be included in the mail: > * Reporter credit > * Bug ID (empty and restricted for future reference) > > +If no confirmation mail send back to reporter in this period, thus mean security > +team take this vulnerability as low severity. Furthermore shortest embargo **two weeks** > +is required for it. Reporter can sumbit the bug through normal process or send > +out patch to public. > + Agree to not block the fixes, it is defeating the purpose to have a vulnerability process.
On 2/2/2021 11:28 AM, Ferruh Yigit wrote: > On 1/25/2021 1:57 AM, Marvin Liu wrote: >> Sometimes security team won't send confirmation mail back to reporter >> in three business days. This mean reported vulnerability is either low >> severity or not a real vulnerability. Reporter should assume that the >> issue need shortest embargo. After that reporter can submit it through >> normal bugzilla process or send out fix patch to public. >> >> Signed-off-by: Marvin Liu <yong.liu@intel.com> >> Signed-off-by: Qian Xu <qian.q.xu@intel.com> >> >> diff --git a/doc/guides/contributing/vulnerability.rst >> b/doc/guides/contributing/vulnerability.rst >> index b6300252ad..cda814fa69 100644 >> --- a/doc/guides/contributing/vulnerability.rst >> +++ b/doc/guides/contributing/vulnerability.rst >> @@ -99,6 +99,11 @@ Following information must be included in the mail: >> * Reporter credit >> * Bug ID (empty and restricted for future reference) >> +If no confirmation mail send back to reporter in this period, thus mean security >> +team take this vulnerability as low severity. Furthermore shortest embargo >> **two weeks** >> +is required for it. Reporter can sumbit the bug through normal process or send >> +out patch to public. >> + > > Agree to not block the fixes, it is defeating the purpose to have a > vulnerability process. The patch is out for a while and there is no objection so far, I suggest just keep continue with the fixes stuck in the process.
diff --git a/doc/guides/contributing/vulnerability.rst b/doc/guides/contributing/vulnerability.rst index b6300252ad..cda814fa69 100644 --- a/doc/guides/contributing/vulnerability.rst +++ b/doc/guides/contributing/vulnerability.rst @@ -99,6 +99,11 @@ Following information must be included in the mail: * Reporter credit * Bug ID (empty and restricted for future reference) +If no confirmation mail send back to reporter in this period, thus mean security +team take this vulnerability as low severity. Furthermore shortest embargo **two weeks** +is required for it. Reporter can sumbit the bug through normal process or send +out patch to public. + CVE Request -----------