]>
Commit | Line | Data |
---|---|---|
609d99a3 MCC |
1 | .. _securitybugs: |
2 | ||
1d7078d4 MCC |
3 | Security bugs |
4 | ============= | |
5 | ||
1da177e4 LT |
6 | Linux kernel developers take security very seriously. As such, we'd |
7 | like to know when a security bug is found so that it can be fixed and | |
8 | disclosed as quickly as possible. Please report security bugs to the | |
9 | Linux kernel security team. | |
10 | ||
11 | 1) Contact | |
1d7078d4 | 12 | ---------- |
1da177e4 LT |
13 | |
14 | The Linux kernel security team can be contacted by email at | |
15 | <security@kernel.org>. This is a private list of security officers | |
16 | who will help verify the bug report and develop and release a fix. | |
17 | It is possible that the security team will bring in extra help from | |
18 | area maintainers to understand and fix the security vulnerability. | |
19 | ||
20 | As it is with any bug, the more information provided the easier it | |
21 | will be to diagnose and fix. Please review the procedure outlined in | |
22 | REPORTING-BUGS if you are unclear about what information is helpful. | |
23 | Any exploit code is very helpful and will not be released without | |
24 | consent from the reporter unless it has already been made public. | |
25 | ||
26 | 2) Disclosure | |
1d7078d4 | 27 | ------------- |
1da177e4 LT |
28 | |
29 | The goal of the Linux kernel security team is to work with the | |
30 | bug submitter to bug resolution as well as disclosure. We prefer | |
31 | to fully disclose the bug as soon as possible. It is reasonable to | |
32 | delay disclosure when the bug or the fix is not yet fully understood, | |
33 | the solution is not well-tested or for vendor coordination. However, we | |
34 | expect these delays to be short, measurable in days, not weeks or months. | |
35 | A disclosure date is negotiated by the security team working with the | |
36 | bug submitter as well as vendors. However, the kernel security team | |
37 | holds the final say when setting a disclosure date. The timeframe for | |
25985edc | 38 | disclosure is from immediate (esp. if it's already publicly known) |
1da177e4 LT |
39 | to a few weeks. As a basic default policy, we expect report date to |
40 | disclosure date to be on the order of 7 days. | |
41 | ||
42 | 3) Non-disclosure agreements | |
1d7078d4 | 43 | ---------------------------- |
1da177e4 LT |
44 | |
45 | The Linux kernel security team is not a formal body and therefore unable | |
46 | to enter any non-disclosure agreements. |