diff options
| author | Willy Tarreau <w@1wt.eu> | 2026-05-09 11:47:53 +0200 |
|---|---|---|
| committer | Jonathan Corbet <corbet@lwn.net> | 2026-05-12 11:09:14 -0600 |
| commit | aed3c3346765e4317bb2ec6ff872e1c952e128ab (patch) | |
| tree | 7ecfefe219273732ca39b83a9c41526617e0df4d | |
| parent | 254f49634ee16a731174d2ae34bc50bd5f45e731 (diff) | |
| download | lwn-aed3c3346765e4317bb2ec6ff872e1c952e128ab.tar.gz lwn-aed3c3346765e4317bb2ec6ff872e1c952e128ab.zip | |
Documentation: security-bugs: do not systematically Cc the security team
With the increase of automated reports, the security team is dealing
with way more messages than really needed. The reporting process works
well with most teams so there is no need to systematically involve the
security team in reports.
Let's suggest to keep it for small lists of recipients and new reporters
only. This should continue to cover the risk of lost messages while
reducing the volume from prolific reporters.
Cc: Greg KH <gregkh@linuxfoundation.org>
Cc: Leon Romanovsky <leon@kernel.org>
Reviewed-by: Leon Romanovsky <leon@kernel.org>
Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Willy Tarreau <w@1wt.eu>
Signed-off-by: Jonathan Corbet <corbet@lwn.net>
Message-ID: <20260509094755.2838-2-w@1wt.eu>
| -rw-r--r-- | Documentation/process/security-bugs.rst | 10 |
1 files changed, 9 insertions, 1 deletions
diff --git a/Documentation/process/security-bugs.rst b/Documentation/process/security-bugs.rst index 27b028e85861..6dc525858125 100644 --- a/Documentation/process/security-bugs.rst +++ b/Documentation/process/security-bugs.rst @@ -148,7 +148,15 @@ run additional tests. Reports where the reporter does not respond promptly or cannot effectively discuss their findings may be abandoned if the communication does not quickly improve. -The report must be sent to maintainers, with the security team in ``Cc:``. +The report must be sent to maintainers. If there are two or fewer +recipients in your message, you must also always Cc: the Linux kernel +security team who will ensure the message is delivered to the proper +people, and will be able to assist small maintainer teams with processes +they may not be familiar with. For larger teams, Cc: the Linux kernel +security team for your first few reports or when seeking specific help, +such as when resending a message which got no response within a week. +Once you have become comfortable with the process for a few reports, it is +no longer necessary to Cc: the security list when sending to large teams. The Linux kernel security team can be contacted by email at <security@kernel.org>. This is a private list of security officers who will help verify the bug report and assist developers working on a fix. |