Received: by 2002:a05:6358:3188:b0:123:57c1:9b43 with SMTP id q8csp24892444rwd;
        Sun, 2 Jul 2023 06:43:11 -0700 (PDT)
X-Google-Smtp-Source: APBJJlHzWNPT5MlSiqTb9ue5l6Pr6H6CWKInfJoRrhEsODgnZOOiweBP1Lr2praQtWu1f+fAQNfZ
X-Received: by 2002:a17:90a:f183:b0:263:3ccc:dfe4 with SMTP id bv3-20020a17090af18300b002633cccdfe4mr4351654pjb.1.1688305391003;
        Sun, 02 Jul 2023 06:43:11 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1688305390; cv=none;
        d=google.com; s=arc-20160816;
        b=G9PhvPYn9IuxmXYtUmaQpfrIDgzfPj6xrP3U5rso9Ig56rVK1+2FsH8APS8CjatxHr
         /vzjoAhy0zoVn7voIM4rP0qCeYta1OiB0DtfZdJcpXBPLmy8XBfpvTng8ICpeiB5aYEs
         EqtsV8e3PRay9ErwwHriDAN0CkdbBjJ4Lz01JfvFCGcudezCIE/Ds4LZ+1kCVzHMzHTy
         z2+oEqFosi2lyzRbmGn5I7Jgwl6K1M7h+NWxNqOaxQPNgvqJkRyOCsoJvNrpuOphDD9Q
         WlIdswwq1yBd58lmlzCRadVEpTRn4jX1aQzbPmqTGViDwRiJMHqbGTa5gvhhMqEzVc9P
         InFA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:in-reply-to:content-disposition:mime-version
         :references:message-id:subject:cc:to:from:date:dkim-signature;
        bh=RFEDrIYkqMOzGnBcWrsWKIhuL+06WfbrjOEXNz11YwY=;
        fh=Vsj6bgfrraoug3G2ChDrL7Zg61B8w+UDtBg1zX4f1II=;
        b=BAoPGWbFEH9yj2KIq6hSWQkweMoDdRfnh5G94UUlcf8sACW0gvWEg6IliX90XDxV22
         njRsI9mNExv+3npJeN7aMFgxstRuy7hGezJtFPEcer0LnO5ZDb3IqxRP3YBC2B2MCG6+
         AvT8Rva6y0/hgfp6rohL7yArpDcL4el8mjFw646y1F/eu3etr539PnSZAw0HYpTxMlCl
         XqXLyfStwD8rD3fT6I+5+ZeRWIh8KXF8WLVVsD6ox61a5y48bLTvYQfEMqdDARWRje9q
         Uurm4d+On+PYLcWHkCS6nOQDA8k9ZytEZu/DeMa4H34ZUnDzyUxTGlILVFEr4d2HtGoi
         O+XA==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=jyxA0qYi;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
        by mx.google.com with ESMTP id bs67-20020a632846000000b00542ad648fbasi5508055pgb.188.2023.07.02.06.42.56;
        Sun, 02 Jul 2023 06:43:10 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=jyxA0qYi;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S229914AbjGBMkB (ORCPT <rfc822;alcock.james@gmail.com>
        + 99 others); Sun, 2 Jul 2023 08:40:01 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:34910 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S229460AbjGBMj7 (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Sun, 2 Jul 2023 08:39:59 -0400
Received: from dfw.source.kernel.org (dfw.source.kernel.org [IPv6:2604:1380:4641:c500::1])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 9E20812A;
        Sun,  2 Jul 2023 05:39:58 -0700 (PDT)
Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140])
        (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
         key-exchange X25519 server-signature RSA-PSS (2048 bits))
        (No client certificate requested)
        by dfw.source.kernel.org (Postfix) with ESMTPS id 1E60660BD8;
        Sun,  2 Jul 2023 12:39:58 +0000 (UTC)
Received: by smtp.kernel.org (Postfix) with ESMTPSA id E9C0FC433C8;
        Sun,  2 Jul 2023 12:39:56 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org;
        s=korg; t=1688301597;
        bh=Gs10fttTgnhj5fhjLDWFZ0nrwMhadhZS6+ukxYV05Bw=;
        h=Date:From:To:Cc:Subject:References:In-Reply-To:From;
        b=jyxA0qYizBtdPmWrk2kjuW65B0CjVfIE8CbaJzq8Km7bcrnlErGRNRnEwesmL9cIf
         gwFhHQokKhnVJYn9t/qYRVj7c55uJlu7pjrdZBCZJRwqCLlYDK3rsIowy9krOr3gvY
         8VtLI43tqlGvp/Ard9XCx9MM8Fq5KuzjRMH7dQZg=
Date:   Sun, 2 Jul 2023 14:39:49 +0200
From:   Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To:     Kees Cook <keescook@chromium.org>
Cc:     linux-doc@vger.kernel.org, linux-kernel@vger.kernel.org,
        security@kernel.org, corbet@lwn.net, workflows@vger.kernel.org
Subject: Re: [PATCH 2/2] Documentation: security-bugs.rst: clarify CVE
 handling
Message-ID: <2023070213-capacity-moneybags-3668@gregkh>
References: <2023063020-throat-pantyhose-f110@gregkh>
 <2023063022-retouch-kerosene-7e4a@gregkh>
 <202306301114.E199B136@keescook>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <202306301114.E199B136@keescook>
X-Spam-Status: No, score=-4.4 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH,
        DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_MED,
        SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham
        autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
        lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Fri, Jun 30, 2023 at 11:18:37AM -0700, Kees Cook wrote:
> On Fri, Jun 30, 2023 at 09:14:21AM +0200, Greg Kroah-Hartman wrote:
> > The kernel security team does NOT assign CVEs, so document that properly
> > and provide the "if you want one, ask MITRE for it" response that we
> > give on a weekly basis in the document, so we don't have to constantly
> > say it to everyone who asks.
> > 
> > Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
> > ---
> >  Documentation/process/security-bugs.rst | 11 ++++-------
> >  1 file changed, 4 insertions(+), 7 deletions(-)
> > 
> > diff --git a/Documentation/process/security-bugs.rst b/Documentation/process/security-bugs.rst
> > index f12ac2316ce7..8b80e1eb7d79 100644
> > --- a/Documentation/process/security-bugs.rst
> > +++ b/Documentation/process/security-bugs.rst
> > @@ -79,13 +79,10 @@ not contribute to actually fixing any potential security problems.
> >  CVE assignment
> >  --------------
> >  
> > -The security team does not normally assign CVEs, nor do we require them
> > -for reports or fixes, as this can needlessly complicate the process and
> > -may delay the bug handling. If a reporter wishes to have a CVE identifier
> > -assigned ahead of public disclosure, they will need to contact the private
> > -linux-distros list, described above. When such a CVE identifier is known
> > -before a patch is provided, it is desirable to mention it in the commit
> > -message if the reporter agrees.
> > +The security team does not assign CVEs, nor do we require them for
> > +reports or fixes, as this can needlessly complicate the process and may
> > +delay the bug handling.  If a reporter wishes to have a CVE identifier
> > +assigned, they should contact MITRE directly.
> 
> Hmm. The language about "assigned ahead of public disclosure" was added
> intentionally due to trouble we'd had with coordination when a CVE was
> needed, etc. Additionally, it IS preferred to have a CVE in a patch when
> it IS known ahead of time, so I think that should be kept. How about
> this:
> 
> 
> diff --git a/Documentation/process/security-bugs.rst b/Documentation/process/security-bugs.rst
> index 82e29837d589..2f4060d49b31 100644
> --- a/Documentation/process/security-bugs.rst
> +++ b/Documentation/process/security-bugs.rst
> @@ -81,13 +81,12 @@ the email Subject line with "[vs]" as described in the linux-distros wiki:
>  CVE assignment
>  --------------
>  
> -The security team does not normally assign CVEs, nor do we require them
> -for reports or fixes, as this can needlessly complicate the process and
> -may delay the bug handling. If a reporter wishes to have a CVE identifier
> -assigned ahead of public disclosure, they will need to contact the private
> -linux-distros list, described above. When such a CVE identifier is known
> -before a patch is provided, it is desirable to mention it in the commit
> -message if the reporter agrees.
> +The security team does not assign CVEs, nor do we require them for reports
> +or fixes, as this can needlessly complicate the process and may delay
> +the bug handling. If a reporter wishes to have a CVE identifier assigned
> +ahead of public disclosure, they will need to contact MITRE directly.
> +When such a CVE identifier is known before a patch is provided, it is
> +desirable to mention it in the commit message if the reporter agrees.

I can not, in good faith, with the current mess that MITRE is going
through, tell anyone that they should contact MITRE ahead of public
disclosure, sorry.

All I can say is "if you really want one, go ask them for one", as
everyone keeps asking us for one to pad their resume/CV.

Also note that many non-US-based companies are not allowed to contact a
US-government-backed entity for potential security issues for obvious
reasons.

So I don't want to even give a hint that we support or request this at
all, or that it is something that changelog texts should contain for
security issues (for the obvious reason of them being a "hint" one way
or another.)

External groups may wish to play the CVE "game" as it facilitates their
engineering procedures to get changes past managers, but that's not
anything that we should be encouraging at all for all of the various
geopolitical and corporate reasons involved in that mess.

thanks,

greg k-h