Received: by 10.223.185.116 with SMTP id b49csp4413020wrg;
        Tue, 6 Mar 2018 15:36:15 -0800 (PST)
X-Google-Smtp-Source: AG47ELuJ/14w6hUeXuI/TJJxcGW7MEzA1XRz+CZMl6aPvBdgLTnnIQezrFdmi3cQXhjYDq8Gnmyl
X-Received: by 10.99.121.5 with SMTP id u5mr16429217pgc.444.1520379375196;
        Tue, 06 Mar 2018 15:36:15 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1520379375; cv=none;
        d=google.com; s=arc-20160816;
        b=JVw8WK7Hm+63k5GAQDC+4qGq310Mhs2XzwYrVqqG5e7arfrBpSzWZZZhm3VVza+TWy
         2InFzWaZdw9+wHzCTVI3A0yLq+UVAmeh4WAkGv3Vwt5+cKPuCccaAYr6xZJ9sZXFEf3R
         n4ms0qb9L25Lne8VP9dCE9ssAYRRfSQnn06peDiSWck7wMV4ctb79+SdIoccO1gxy5At
         WWJm+0ncmwOva5hwDDwn1LWDp5lTmuXB78/FNC4m4bne9gMGrQHwQGP029S+x3X2r46i
         8camFhb9e10UD8iqH9yOIZdPsjIxQYzv9FqBHy7js42jaaI6bBHCemTrKlpsC1HVflJa
         difw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:message-id:date:from:cc:to:subject
         :arc-authentication-results;
        bh=6M8+whjGFCRpwx4myVQk9wu05XcalodGrwNjb+RZ2z8=;
        b=Dzk6+CCfyADq0x+pE0B+u4GKy/StgvRoz0IpjDb1zC7S2eVeo/OXfKvbYhBAztsmQo
         Di29F0i4BTS5nU0aFq71NTxMLxRwzbM8kqOBS92r9bkFwbOeokimGo53iSByvvf4HCbg
         RudE66PJHGEh1coNz0iXChIEBPOT6PuriC3FEE6T/JmOk8Z3wXnK1EpxrbgtRgzXhKfc
         /pdWcGLUlqdcbgp1jCVE+9MkooSDuZ7yEZxzKMUbbXFt7akrxYvisre2fYGBOXVXlx4q
         mD0YB/3Kw9OiF7MulnYjoHtR3kg1HsPh5X1xHnINcGm2kk5nXCRhIudNwaMI27RplB35
         lSfQ==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id e18si12712960pfi.130.2018.03.06.15.36.00;
        Tue, 06 Mar 2018 15:36:15 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1754232AbeCFXci (ORCPT <rfc822;chaneybenjamini@gmail.com>
        + 99 others); Tue, 6 Mar 2018 18:32:38 -0500
Received: from mga11.intel.com ([192.55.52.93]:35013 "EHLO mga11.intel.com"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1754019AbeCFXcg (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 6 Mar 2018 18:32:36 -0500
X-Amp-Result: SKIPPED(no attachment in message)
X-Amp-File-Uploaded: False
Received: from orsmga005.jf.intel.com ([10.7.209.41])
  by fmsmga102.fm.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 06 Mar 2018 15:32:35 -0800
X-ExtLoop1: 1
X-IronPort-AV: E=Sophos;i="5.47,433,1515484800"; 
   d="scan'208";a="206044826"
Received: from viggo.jf.intel.com (HELO localhost.localdomain) ([10.54.39.119])
  by orsmga005.jf.intel.com with ESMTP; 06 Mar 2018 15:32:35 -0800
Subject: [PATCH] docs: clarify security-bugs disclosure policy
To:     linux-kernel@vger.kernel.org
Cc:     Dave Hansen <dave.hansen@linux.intel.com>, tglx@linutronix.de,
        gregkh@linuxfoundation.org, torvalds@linux-foundation.org,
        gnomes@lxorguk.ukuu.org.uk, aarcange@redhat.com, luto@kernel.org,
        keescook@google.com, tim.c.chen@linux.intel.com,
        dan.j.williams@intel.com, viro@zeniv.linux.org.uk,
        akpm@linux-foundation.org, linux-doc@vger.kernel.org,
        corbet@lwn.net, mark.rutland@arm.com
From:   Dave Hansen <dave.hansen@linux.intel.com>
Date:   Tue, 06 Mar 2018 15:31:40 -0800
Message-Id: <20180306233140.268BD8E1@viggo.jf.intel.com>
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org


From: Dave Hansen <dave.hansen@linux.intel.com>

I think we need to soften the language a bit.  It might scare folks
off, especially the:

	 We prefer to fully disclose the bug as soon as possible.

which is not really the case.  As Greg mentioned in private mail, we
really do not prefer to disclose things until *after* a fix.  The
whole "we have the final say" is also a bit harsh.

Signed-off-by: Dave Hansen <dave.hansen@linux.intel.com>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Alan Cox <gnomes@lxorguk.ukuu.org.uk>
Cc: Andrea Arcangeli <aarcange@redhat.com>
Cc: Andy Lutomirski <luto@kernel.org>
Cc: Kees Cook <keescook@google.com>
Cc: Tim Chen <tim.c.chen@linux.intel.com>
Cc: Dan Williams <dan.j.williams@intel.com>
Cc: Alexander Viro <viro@zeniv.linux.org.uk>
Cc: Andrew Morton <akpm@linux-foundation.org>
Cc: linux-doc@vger.kernel.org
Cc: Jonathan Corbet <corbet@lwn.net>
Cc: Mark Rutland <mark.rutland@arm.com>
---

 b/Documentation/admin-guide/security-bugs.rst |   26 +++++++++++++++-----------
 1 file changed, 15 insertions(+), 11 deletions(-)

diff -puN Documentation/admin-guide/security-bugs.rst~embargo Documentation/admin-guide/security-bugs.rst
--- a/Documentation/admin-guide/security-bugs.rst~embargo	2018-03-06 14:47:04.519431230 -0800
+++ b/Documentation/admin-guide/security-bugs.rst	2018-03-06 14:57:46.410429629 -0800
@@ -29,18 +29,22 @@ made public.
 Disclosure
 ----------
 
-The goal of the Linux kernel security team is to work with the
-bug submitter to bug resolution as well as disclosure.  We prefer
-to fully disclose the bug as soon as possible.  It is reasonable to
-delay disclosure when the bug or the fix is not yet fully understood,
-the solution is not well-tested or for vendor coordination.  However, we
-expect these delays to be short, measurable in days, not weeks or months.
+The goal of the Linux kernel security team is to work with the bug
+submitter to bug resolution as well as disclosure.  We prefer to fully
+disclose the bug as soon as possible after a fix is available.  It is
+customary to delay disclosure when the bug or the fix is not yet fully
+understood, the solution is not well-tested or for vendor coordination.
+However, we expect these delays to typically be short, measurable in
+days, not weeks or months.
+
 A disclosure date is negotiated by the security team working with the
-bug submitter as well as vendors.  However, the kernel security team
-holds the final say when setting a disclosure date.  The timeframe for
-disclosure is from immediate (esp. if it's already publicly known)
-to a few weeks.  As a basic default policy, we expect report date to
-disclosure date to be on the order of 7 days.
+bug submitter as well as affected vendors.  The security team prefers
+coordinated disclosure and will consider pre-existing, reasonable
+disclosure dates.
+
+The timeframe for disclosure ranges from immediate (esp. if it's
+already publicly known) to a few weeks.  As a basic default policy, we
+expect report date to disclosure date to be on the order of 7 days.
 
 Coordination
 ------------
_