MAINTAINERS: clarify that only verified bugs should be submitted to security@

We're seeing a raise of automated reports from testing tools and reports
about address leaks that are not really exploitable as-is, many of which
do not represent an immediate risk justifying to work in closed places.

Signed-off-by: Willy Tarreau <w@1wt.eu>
Acked-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
This commit is contained in:
Willy Tarreau 2018-01-04 14:31:25 +01:00 committed by Linus Torvalds
parent 5132ede0fe
commit ce30f264b3
1 changed files with 9 additions and 1 deletions

View File

@ -62,7 +62,15 @@ trivial patch so apply some common sense.
7. When sending security related changes or reports to a maintainer
please Cc: security@kernel.org, especially if the maintainer
does not respond.
does not respond. Please keep in mind that the security team is
a small set of people who can be efficient only when working on
verified bugs. Please only Cc: this list when you have identified
that the bug would present a short-term risk to other users if it
were publicly disclosed. For example, reports of address leaks do
not represent an immediate threat and are better handled publicly,
and ideally, should come with a patch proposal. Please do not send
automated reports to this list either. Such bugs will be handled
better and faster in the usual public places.
8. Happy hacking.