diff mbox series

doc: clarify disclosure time slot when no response

Message ID 20210125015736.7555-1-yong.liu@intel.com (mailing list archive)
State Rejected, archived
Delegated to: Thomas Monjalon
Headers
Series doc: clarify disclosure time slot when no response |

Checks

Context Check Description
ci/checkpatch success coding style OK
ci/Intel-compilation success Compilation OK
ci/intel-Testing success Testing PASS

Commit Message

Marvin Liu Jan. 25, 2021, 1:57 a.m. UTC 
  Sometimes security team won't send confirmation mail back to reporter
in three business days. This mean reported vulnerability is either low
severity or not a real vulnerability. Reporter should assume that the
issue need shortest embargo. After that reporter can submit it through
normal bugzilla process or send out fix patch to public.

Signed-off-by: Marvin Liu <yong.liu@intel.com>
Signed-off-by: Qian Xu <qian.q.xu@intel.com>

Comments

Ferruh Yigit Feb. 2, 2021, 11:28 a.m. UTC | #1 
On 1/25/2021 1:57 AM, Marvin Liu wrote:
> Sometimes security team won't send confirmation mail back to reporter
> in three business days. This mean reported vulnerability is either low
> severity or not a real vulnerability. Reporter should assume that the
> issue need shortest embargo. After that reporter can submit it through
> normal bugzilla process or send out fix patch to public.
> 
> Signed-off-by: Marvin Liu <yong.liu@intel.com>
> Signed-off-by: Qian Xu <qian.q.xu@intel.com>
> 
> diff --git a/doc/guides/contributing/vulnerability.rst b/doc/guides/contributing/vulnerability.rst
> index b6300252ad..cda814fa69 100644
> --- a/doc/guides/contributing/vulnerability.rst
> +++ b/doc/guides/contributing/vulnerability.rst
> @@ -99,6 +99,11 @@ Following information must be included in the mail:
>   * Reporter credit
>   * Bug ID (empty and restricted for future reference)
>   
> +If no confirmation mail send back to reporter in this period, thus mean security
> +team take this vulnerability as low severity. Furthermore shortest embargo **two weeks**
> +is required for it. Reporter can sumbit the bug through normal process or send
> +out patch to public.
> +

Agree to not block the fixes, it is defeating the purpose to have a 
vulnerability process.
Ferruh Yigit Feb. 25, 2021, 2:14 p.m. UTC | #2 
On 2/2/2021 11:28 AM, Ferruh Yigit wrote:
> On 1/25/2021 1:57 AM, Marvin Liu wrote:
>> Sometimes security team won't send confirmation mail back to reporter
>> in three business days. This mean reported vulnerability is either low
>> severity or not a real vulnerability. Reporter should assume that the
>> issue need shortest embargo. After that reporter can submit it through
>> normal bugzilla process or send out fix patch to public.
>>
>> Signed-off-by: Marvin Liu <yong.liu@intel.com>
>> Signed-off-by: Qian Xu <qian.q.xu@intel.com>
>>
>> diff --git a/doc/guides/contributing/vulnerability.rst 
>> b/doc/guides/contributing/vulnerability.rst
>> index b6300252ad..cda814fa69 100644
>> --- a/doc/guides/contributing/vulnerability.rst
>> +++ b/doc/guides/contributing/vulnerability.rst
>> @@ -99,6 +99,11 @@ Following information must be included in the mail:
>>   * Reporter credit
>>   * Bug ID (empty and restricted for future reference)
>> +If no confirmation mail send back to reporter in this period, thus mean security
>> +team take this vulnerability as low severity. Furthermore shortest embargo 
>> **two weeks**
>> +is required for it. Reporter can sumbit the bug through normal process or send
>> +out patch to public.
>> +
> 
> Agree to not block the fixes, it is defeating the purpose to have a 
> vulnerability process.

The patch is out for a while and there is no objection so far, I suggest just 
keep continue with the fixes stuck in the process.
Thomas Monjalon March 31, 2023, 10:38 a.m. UTC | #3 
25/01/2021 02:57, Marvin Liu:
> Sometimes security team won't send confirmation mail back to reporter
> in three business days. This mean reported vulnerability is either low
> severity or not a real vulnerability. Reporter should assume that the
> issue need shortest embargo. After that reporter can submit it through
> normal bugzilla process or send out fix patch to public.
> 
> Signed-off-by: Marvin Liu <yong.liu@intel.com>
> Signed-off-by: Qian Xu <qian.q.xu@intel.com>
> 
> diff --git a/doc/guides/contributing/vulnerability.rst b/doc/guides/contributing/vulnerability.rst
> index b6300252ad..cda814fa69 100644
> --- a/doc/guides/contributing/vulnerability.rst
> +++ b/doc/guides/contributing/vulnerability.rst
> @@ -99,6 +99,11 @@ Following information must be included in the mail:
>  * Reporter credit
>  * Bug ID (empty and restricted for future reference)
>  
> +If no confirmation mail send back to reporter in this period, thus mean security
> +team take this vulnerability as low severity. Furthermore shortest embargo **two weeks**
> +is required for it. Reporter can sumbit the bug through normal process or send

sumbit -> submit

> +out patch to public.

Do we agree on the principle?
Does it require a bit of rewriting?
Stephen Hemminger March 31, 2023, 3:31 p.m. UTC | #4 
On Fri, 31 Mar 2023 12:38:23 +0200
Thomas Monjalon <thomas@monjalon.net> wrote:

> >  
> > +If no confirmation mail send back to reporter in this period, thus mean security
> > +team take this vulnerability as low severity. Furthermore shortest embargo **two weeks**
> > +is required for it. Reporter can sumbit the bug through normal process or send  
> 
> sumbit -> submit
> 
> > +out patch to public.  
> 
> Do we agree on the principle?
> Does it require a bit of rewriting?

LGTM
Stephen Hemminger June 15, 2023, 4:17 p.m. UTC | #5 
On Thu, 25 Feb 2021 14:14:29 +0000
Ferruh Yigit <ferruh.yigit@intel.com> wrote:

> On 2/2/2021 11:28 AM, Ferruh Yigit wrote:
> > On 1/25/2021 1:57 AM, Marvin Liu wrote:  
> >> Sometimes security team won't send confirmation mail back to reporter
> >> in three business days. This mean reported vulnerability is either low
> >> severity or not a real vulnerability. Reporter should assume that the
> >> issue need shortest embargo. After that reporter can submit it through
> >> normal bugzilla process or send out fix patch to public.
> >>
> >> Signed-off-by: Marvin Liu <yong.liu@intel.com>
> >> Signed-off-by: Qian Xu <qian.q.xu@intel.com>
> >>
> >> diff --git a/doc/guides/contributing/vulnerability.rst 
> >> b/doc/guides/contributing/vulnerability.rst
> >> index b6300252ad..cda814fa69 100644
> >> --- a/doc/guides/contributing/vulnerability.rst
> >> +++ b/doc/guides/contributing/vulnerability.rst
> >> @@ -99,6 +99,11 @@ Following information must be included in the mail:
> >>   * Reporter credit
> >>   * Bug ID (empty and restricted for future reference)
> >> +If no confirmation mail send back to reporter in this period, thus mean security
> >> +team take this vulnerability as low severity. Furthermore shortest embargo 
> >> **two weeks**
> >> +is required for it. Reporter can sumbit the bug through normal process or send
> >> +out patch to public.
> >> +  
> > 
> > Agree to not block the fixes, it is defeating the purpose to have a 
> > vulnerability process.  
> 
> The patch is out for a while and there is no objection so far, I suggest just 
> keep continue with the fixes stuck in the process.

Marking this patch as rejected. Open to future wording/process changes here
but it didn't seem necessary and no consensus in several years
diff mbox series

Patch

diff --git a/doc/guides/contributing/vulnerability.rst b/doc/guides/contributing/vulnerability.rst
index b6300252ad..cda814fa69 100644
--- a/doc/guides/contributing/vulnerability.rst
+++ b/doc/guides/contributing/vulnerability.rst
@@ -99,6 +99,11 @@  Following information must be included in the mail:
 * Reporter credit
 * Bug ID (empty and restricted for future reference)
 
+If no confirmation mail send back to reporter in this period, thus mean security
+team take this vulnerability as low severity. Furthermore shortest embargo **two weeks**
+is required for it. Reporter can sumbit the bug through normal process or send
+out patch to public.
+
 CVE Request
 -----------