git.ipfire.org Git - thirdparty/linux.git/commit

author	Willy Tarreau <w@1wt.eu>
	Sat, 9 May 2026 09:47:54 +0000 (11:47 +0200)
committer	Jonathan Corbet <corbet@lwn.net>
	Tue, 12 May 2026 17:09:14 +0000 (11:09 -0600)
commit	a03ef333fbd6cd861c8457c3d055ee3643a9baad
tree	d262316dd105dadca11f8400782471ce01a2e484	tree \| snapshot
parent	aed3c3346765e4317bb2ec6ff872e1c952e128ab	commit \| diff

Documentation: security-bugs: explain what is and is not a security bug

The use of automated tools to find bugs in random locations of the kernel
induces a raise of security reports even if most of them should just be
reported as regular bugs. This patch is an attempt at drawing a line
between what qualifies as a security bug and what does not, hoping to
improve the situation and ease decision on the reporter's side.

It defers the enumeration to a new file, threat-model.rst, that tries
to enumerate various classes of issues that are and are not security
bugs. This should permit to more easily update this file for various
subsystem-specific rules without having to revisit the security bug
reporting guide.

Cc: Greg KH <gregkh@linuxfoundation.org>
Cc: Leon Romanovsky <leon@kernel.org>
Suggested-by: Leon Romanovsky <leon@kernel.org>
Suggested-by: Greg KH <gregkh@linuxfoundation.org>
Reviewed-by: Leon Romanovsky <leon@kernel.org>
Reviewed-by: Shuah Khan <skhan@linuxfoundation.org>
Signed-off-by: Willy Tarreau <w@1wt.eu>
Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Jonathan Corbet <corbet@lwn.net>
Message-ID: <20260509094755.2838-3-w@1wt.eu>

Documentation/process/index.rst		diff \| blob \| blame \| history
Documentation/process/security-bugs.rst		diff \| blob \| blame \| history
Documentation/process/threat-model.rst	[new file with mode: 0644]	blob