diff mbox series

doc: clarify disclosure time slot when no response

Message ID 20210125015736.7555-1-yong.liu@intel.com (mailing list archive)
State New
Delegated to: Thomas Monjalon
Headers show
Series doc: clarify disclosure time slot when no response | expand

Checks

Context Check Description
ci/intel-Testing success Testing PASS
ci/Intel-compilation success Compilation OK
ci/checkpatch success coding style OK

Commit Message

Marvin Liu Jan. 25, 2021, 1:57 a.m. UTC
Sometimes security team won't send confirmation mail back to reporter
in three business days. This mean reported vulnerability is either low
severity or not a real vulnerability. Reporter should assume that the
issue need shortest embargo. After that reporter can submit it through
normal bugzilla process or send out fix patch to public.

Signed-off-by: Marvin Liu <yong.liu@intel.com>
Signed-off-by: Qian Xu <qian.q.xu@intel.com>

Comments

Ferruh Yigit Feb. 2, 2021, 11:28 a.m. UTC | #1
On 1/25/2021 1:57 AM, Marvin Liu wrote:
> Sometimes security team won't send confirmation mail back to reporter
> in three business days. This mean reported vulnerability is either low
> severity or not a real vulnerability. Reporter should assume that the
> issue need shortest embargo. After that reporter can submit it through
> normal bugzilla process or send out fix patch to public.
> 
> Signed-off-by: Marvin Liu <yong.liu@intel.com>
> Signed-off-by: Qian Xu <qian.q.xu@intel.com>
> 
> diff --git a/doc/guides/contributing/vulnerability.rst b/doc/guides/contributing/vulnerability.rst
> index b6300252ad..cda814fa69 100644
> --- a/doc/guides/contributing/vulnerability.rst
> +++ b/doc/guides/contributing/vulnerability.rst
> @@ -99,6 +99,11 @@ Following information must be included in the mail:
>   * Reporter credit
>   * Bug ID (empty and restricted for future reference)
>   
> +If no confirmation mail send back to reporter in this period, thus mean security
> +team take this vulnerability as low severity. Furthermore shortest embargo **two weeks**
> +is required for it. Reporter can sumbit the bug through normal process or send
> +out patch to public.
> +

Agree to not block the fixes, it is defeating the purpose to have a 
vulnerability process.
Ferruh Yigit Feb. 25, 2021, 2:14 p.m. UTC | #2
On 2/2/2021 11:28 AM, Ferruh Yigit wrote:
> On 1/25/2021 1:57 AM, Marvin Liu wrote:
>> Sometimes security team won't send confirmation mail back to reporter
>> in three business days. This mean reported vulnerability is either low
>> severity or not a real vulnerability. Reporter should assume that the
>> issue need shortest embargo. After that reporter can submit it through
>> normal bugzilla process or send out fix patch to public.
>>
>> Signed-off-by: Marvin Liu <yong.liu@intel.com>
>> Signed-off-by: Qian Xu <qian.q.xu@intel.com>
>>
>> diff --git a/doc/guides/contributing/vulnerability.rst 
>> b/doc/guides/contributing/vulnerability.rst
>> index b6300252ad..cda814fa69 100644
>> --- a/doc/guides/contributing/vulnerability.rst
>> +++ b/doc/guides/contributing/vulnerability.rst
>> @@ -99,6 +99,11 @@ Following information must be included in the mail:
>>   * Reporter credit
>>   * Bug ID (empty and restricted for future reference)
>> +If no confirmation mail send back to reporter in this period, thus mean security
>> +team take this vulnerability as low severity. Furthermore shortest embargo 
>> **two weeks**
>> +is required for it. Reporter can sumbit the bug through normal process or send
>> +out patch to public.
>> +
> 
> Agree to not block the fixes, it is defeating the purpose to have a 
> vulnerability process.

The patch is out for a while and there is no objection so far, I suggest just 
keep continue with the fixes stuck in the process.
diff mbox series

Patch

diff --git a/doc/guides/contributing/vulnerability.rst b/doc/guides/contributing/vulnerability.rst
index b6300252ad..cda814fa69 100644
--- a/doc/guides/contributing/vulnerability.rst
+++ b/doc/guides/contributing/vulnerability.rst
@@ -99,6 +99,11 @@  Following information must be included in the mail:
 * Reporter credit
 * Bug ID (empty and restricted for future reference)
 
+If no confirmation mail send back to reporter in this period, thus mean security
+team take this vulnerability as low severity. Furthermore shortest embargo **two weeks**
+is required for it. Reporter can sumbit the bug through normal process or send
+out patch to public.
+
 CVE Request
 -----------