doc: clarify disclosure time slot when no response
Checks
Commit Message
Sometimes security team won't send confirmation mail back to reporter
in three business days. This mean reported vulnerability is either low
severity or not a real vulnerability. Reporter should assume that the
issue need shortest embargo. After that reporter can submit it through
normal bugzilla process or send out fix patch to public.
Signed-off-by: Marvin Liu <yong.liu@intel.com>
Signed-off-by: Qian Xu <qian.q.xu@intel.com>
Comments
On 1/25/2021 1:57 AM, Marvin Liu wrote:
> Sometimes security team won't send confirmation mail back to reporter
> in three business days. This mean reported vulnerability is either low
> severity or not a real vulnerability. Reporter should assume that the
> issue need shortest embargo. After that reporter can submit it through
> normal bugzilla process or send out fix patch to public.
>
> Signed-off-by: Marvin Liu <yong.liu@intel.com>
> Signed-off-by: Qian Xu <qian.q.xu@intel.com>
>
> diff --git a/doc/guides/contributing/vulnerability.rst b/doc/guides/contributing/vulnerability.rst
> index b6300252ad..cda814fa69 100644
> --- a/doc/guides/contributing/vulnerability.rst
> +++ b/doc/guides/contributing/vulnerability.rst
> @@ -99,6 +99,11 @@ Following information must be included in the mail:
> * Reporter credit
> * Bug ID (empty and restricted for future reference)
>
> +If no confirmation mail send back to reporter in this period, thus mean security
> +team take this vulnerability as low severity. Furthermore shortest embargo **two weeks**
> +is required for it. Reporter can sumbit the bug through normal process or send
> +out patch to public.
> +
Agree to not block the fixes, it is defeating the purpose to have a
vulnerability process.
On 2/2/2021 11:28 AM, Ferruh Yigit wrote:
> On 1/25/2021 1:57 AM, Marvin Liu wrote:
>> Sometimes security team won't send confirmation mail back to reporter
>> in three business days. This mean reported vulnerability is either low
>> severity or not a real vulnerability. Reporter should assume that the
>> issue need shortest embargo. After that reporter can submit it through
>> normal bugzilla process or send out fix patch to public.
>>
>> Signed-off-by: Marvin Liu <yong.liu@intel.com>
>> Signed-off-by: Qian Xu <qian.q.xu@intel.com>
>>
>> diff --git a/doc/guides/contributing/vulnerability.rst
>> b/doc/guides/contributing/vulnerability.rst
>> index b6300252ad..cda814fa69 100644
>> --- a/doc/guides/contributing/vulnerability.rst
>> +++ b/doc/guides/contributing/vulnerability.rst
>> @@ -99,6 +99,11 @@ Following information must be included in the mail:
>> * Reporter credit
>> * Bug ID (empty and restricted for future reference)
>> +If no confirmation mail send back to reporter in this period, thus mean security
>> +team take this vulnerability as low severity. Furthermore shortest embargo
>> **two weeks**
>> +is required for it. Reporter can sumbit the bug through normal process or send
>> +out patch to public.
>> +
>
> Agree to not block the fixes, it is defeating the purpose to have a
> vulnerability process.
The patch is out for a while and there is no objection so far, I suggest just
keep continue with the fixes stuck in the process.
25/01/2021 02:57, Marvin Liu:
> Sometimes security team won't send confirmation mail back to reporter
> in three business days. This mean reported vulnerability is either low
> severity or not a real vulnerability. Reporter should assume that the
> issue need shortest embargo. After that reporter can submit it through
> normal bugzilla process or send out fix patch to public.
>
> Signed-off-by: Marvin Liu <yong.liu@intel.com>
> Signed-off-by: Qian Xu <qian.q.xu@intel.com>
>
> diff --git a/doc/guides/contributing/vulnerability.rst b/doc/guides/contributing/vulnerability.rst
> index b6300252ad..cda814fa69 100644
> --- a/doc/guides/contributing/vulnerability.rst
> +++ b/doc/guides/contributing/vulnerability.rst
> @@ -99,6 +99,11 @@ Following information must be included in the mail:
> * Reporter credit
> * Bug ID (empty and restricted for future reference)
>
> +If no confirmation mail send back to reporter in this period, thus mean security
> +team take this vulnerability as low severity. Furthermore shortest embargo **two weeks**
> +is required for it. Reporter can sumbit the bug through normal process or send
sumbit -> submit
> +out patch to public.
Do we agree on the principle?
Does it require a bit of rewriting?
On Fri, 31 Mar 2023 12:38:23 +0200
Thomas Monjalon <thomas@monjalon.net> wrote:
> >
> > +If no confirmation mail send back to reporter in this period, thus mean security
> > +team take this vulnerability as low severity. Furthermore shortest embargo **two weeks**
> > +is required for it. Reporter can sumbit the bug through normal process or send
>
> sumbit -> submit
>
> > +out patch to public.
>
> Do we agree on the principle?
> Does it require a bit of rewriting?
LGTM
On Thu, 25 Feb 2021 14:14:29 +0000
Ferruh Yigit <ferruh.yigit@intel.com> wrote:
> On 2/2/2021 11:28 AM, Ferruh Yigit wrote:
> > On 1/25/2021 1:57 AM, Marvin Liu wrote:
> >> Sometimes security team won't send confirmation mail back to reporter
> >> in three business days. This mean reported vulnerability is either low
> >> severity or not a real vulnerability. Reporter should assume that the
> >> issue need shortest embargo. After that reporter can submit it through
> >> normal bugzilla process or send out fix patch to public.
> >>
> >> Signed-off-by: Marvin Liu <yong.liu@intel.com>
> >> Signed-off-by: Qian Xu <qian.q.xu@intel.com>
> >>
> >> diff --git a/doc/guides/contributing/vulnerability.rst
> >> b/doc/guides/contributing/vulnerability.rst
> >> index b6300252ad..cda814fa69 100644
> >> --- a/doc/guides/contributing/vulnerability.rst
> >> +++ b/doc/guides/contributing/vulnerability.rst
> >> @@ -99,6 +99,11 @@ Following information must be included in the mail:
> >> * Reporter credit
> >> * Bug ID (empty and restricted for future reference)
> >> +If no confirmation mail send back to reporter in this period, thus mean security
> >> +team take this vulnerability as low severity. Furthermore shortest embargo
> >> **two weeks**
> >> +is required for it. Reporter can sumbit the bug through normal process or send
> >> +out patch to public.
> >> +
> >
> > Agree to not block the fixes, it is defeating the purpose to have a
> > vulnerability process.
>
> The patch is out for a while and there is no objection so far, I suggest just
> keep continue with the fixes stuck in the process.
Marking this patch as rejected. Open to future wording/process changes here
but it didn't seem necessary and no consensus in several years
@@ -99,6 +99,11 @@ Following information must be included in the mail:
* Reporter credit
* Bug ID (empty and restricted for future reference)
+If no confirmation mail send back to reporter in this period, thus mean security
+team take this vulnerability as low severity. Furthermore shortest embargo **two weeks**
+is required for it. Reporter can sumbit the bug through normal process or send
+out patch to public.
+
CVE Request
-----------