]>
Commit | Line | Data |
---|---|---|
609d99a3 MCC |
1 | .. _securitybugs: |
2 | ||
1d7078d4 MCC |
3 | Security bugs |
4 | ============= | |
5 | ||
1da177e4 LT |
6 | Linux kernel developers take security very seriously. As such, we'd |
7 | like to know when a security bug is found so that it can be fixed and | |
8 | disclosed as quickly as possible. Please report security bugs to the | |
9 | Linux kernel security team. | |
10 | ||
9d85025b MCC |
11 | Contact |
12 | ------- | |
1da177e4 LT |
13 | |
14 | The Linux kernel security team can be contacted by email at | |
15 | <security@kernel.org>. This is a private list of security officers | |
16 | who will help verify the bug report and develop and release a fix. | |
49978be7 KC |
17 | If you already have a fix, please include it with your report, as |
18 | that can speed up the process considerably. It is possible that the | |
19 | security team will bring in extra help from area maintainers to | |
20 | understand and fix the security vulnerability. | |
1da177e4 LT |
21 | |
22 | As it is with any bug, the more information provided the easier it | |
23 | will be to diagnose and fix. Please review the procedure outlined in | |
49978be7 KC |
24 | admin-guide/reporting-bugs.rst if you are unclear about what |
25 | information is helpful. Any exploit code is very helpful and will not | |
26 | be released without consent from the reporter unless it has already been | |
27 | made public. | |
1da177e4 | 28 | |
9d85025b MCC |
29 | Disclosure |
30 | ---------- | |
1da177e4 LT |
31 | |
32 | The goal of the Linux kernel security team is to work with the | |
33 | bug submitter to bug resolution as well as disclosure. We prefer | |
34 | to fully disclose the bug as soon as possible. It is reasonable to | |
35 | delay disclosure when the bug or the fix is not yet fully understood, | |
36 | the solution is not well-tested or for vendor coordination. However, we | |
37 | expect these delays to be short, measurable in days, not weeks or months. | |
38 | A disclosure date is negotiated by the security team working with the | |
39 | bug submitter as well as vendors. However, the kernel security team | |
40 | holds the final say when setting a disclosure date. The timeframe for | |
25985edc | 41 | disclosure is from immediate (esp. if it's already publicly known) |
1da177e4 LT |
42 | to a few weeks. As a basic default policy, we expect report date to |
43 | disclosure date to be on the order of 7 days. | |
44 | ||
49978be7 KC |
45 | Coordination |
46 | ------------ | |
47 | ||
48 | Fixes for sensitive bugs, such as those that might lead to privilege | |
49 | escalations, may need to be coordinated with the private | |
50 | <linux-distros@vs.openwall.org> mailing list so that distribution vendors | |
51 | are well prepared to issue a fixed kernel upon public disclosure of the | |
52 | upstream fix. Distros will need some time to test the proposed patch and | |
53 | will generally request at least a few days of embargo, and vendor update | |
54 | publication prefers to happen Tuesday through Thursday. When appropriate, | |
55 | the security team can assist with this coordination, or the reporter can | |
56 | include linux-distros from the start. In this case, remember to prefix | |
57 | the email Subject line with "[vs]" as described in the linux-distros wiki: | |
58 | <http://oss-security.openwall.org/wiki/mailing-lists/distros#how-to-use-the-lists> | |
59 | ||
60 | CVE assignment | |
61 | -------------- | |
62 | ||
63 | The security team does not normally assign CVEs, nor do we require them | |
64 | for reports or fixes, as this can needlessly complicate the process and | |
65 | may delay the bug handling. If a reporter wishes to have a CVE identifier | |
66 | assigned ahead of public disclosure, they will need to contact the private | |
67 | linux-distros list, described above. When such a CVE identifier is known | |
68 | before a patch is provided, it is desirable to mention it in the commit | |
69 | message, though. | |
70 | ||
9d85025b MCC |
71 | Non-disclosure agreements |
72 | ------------------------- | |
1da177e4 LT |
73 | |
74 | The Linux kernel security team is not a formal body and therefore unable | |
75 | to enter any non-disclosure agreements. |