projects / linux.git / blame
| Commit | Line | Data |
|---|---|---|
| 609d99a3 MCC |
1 | .. _securitybugs: |
| 2 | ||
| 1d7078d4 MCC |
3 | Security bugs |
| 4 | ============= | |
| 5 | ||
| 1da177e4 LT |
6 | Linux kernel developers take security very seriously. As such, we'd |
| 7 | like to know when a security bug is found so that it can be fixed and | |
| 8 | disclosed as quickly as possible. Please report security bugs to the | |
| 9 | Linux kernel security team. | |
| 10 | ||
| 9d85025b MCC |
11 | Contact |
| 12 | ------- | |
| 1da177e4 LT |
13 | |
| 14 | The Linux kernel security team can be contacted by email at | |
| 15 | <[email protected]>. This is a private list of security officers | |
| 16 | who will help verify the bug report and develop and release a fix. | |
| 49978be7 KC |
17 | If you already have a fix, please include it with your report, as |
| 18 | that can speed up the process considerably. It is possible that the | |
| 19 | security team will bring in extra help from area maintainers to | |
| 20 | understand and fix the security vulnerability. | |
| 1da177e4 LT |
21 | |
| 22 | As it is with any bug, the more information provided the easier it | |
| 23 | will be to diagnose and fix. Please review the procedure outlined in | |
| 49978be7 KC |
24 | admin-guide/reporting-bugs.rst if you are unclear about what |
| 25 | information is helpful. Any exploit code is very helpful and will not | |
| 26 | be released without consent from the reporter unless it has already been | |
| 27 | made public. | |
| 1da177e4 | 28 | |
| 14fdc2c5 WD |
29 | Disclosure and embargoed information |
| 30 | ------------------------------------ | |
| 31 | ||
| 32 | The security list is not a disclosure channel. For that, see Coordination | |
| 33 | below. | |
| 34 | ||
| 544b03da WD |
35 | Once a robust fix has been developed, the release process starts. Fixes |
| 36 | for publicly known bugs are released immediately. | |
| 37 | ||
| 38 | Although our preference is to release fixes for publicly undisclosed bugs | |
| 39 | as soon as they become available, this may be postponed at the request of | |
| 40 | the reporter or an affected party for up to 7 calendar days from the start | |
| 41 | of the release process, with an exceptional extension to 14 calendar days | |
| 42 | if it is agreed that the criticality of the bug requires more time. The | |
| 43 | only valid reason for deferring the publication of a fix is to accommodate | |
| 44 | the logistics of QA and large scale rollouts which require release | |
| 45 | coordination. | |
| 14fdc2c5 WD |
46 | |
| 47 | Whilst embargoed information may be shared with trusted individuals in | |
| 48 | order to develop a fix, such information will not be published alongside | |
| 49 | the fix or on any other disclosure channel without the permission of the | |
| 50 | reporter. This includes but is not limited to the original bug report | |
| 51 | and followup discussions (if any), exploits, CVE information or the | |
| 52 | identity of the reporter. | |
| 53 | ||
| 54 | In other words our only interest is in getting bugs fixed. All other | |
| 55 | information submitted to the security list and any followup discussions | |
| 56 | of the report are treated confidentially even after the embargo has been | |
| 57 | lifted, in perpetuity. | |
| 1da177e4 | 58 | |
| 49978be7 KC |
59 | Coordination |
| 60 | ------------ | |
| 61 | ||
| 62 | Fixes for sensitive bugs, such as those that might lead to privilege | |
| 63 | escalations, may need to be coordinated with the private | |
| 64 | <[email protected]> mailing list so that distribution vendors | |
| 65 | are well prepared to issue a fixed kernel upon public disclosure of the | |
| 66 | upstream fix. Distros will need some time to test the proposed patch and | |
| 67 | will generally request at least a few days of embargo, and vendor update | |
| 68 | publication prefers to happen Tuesday through Thursday. When appropriate, | |
| 69 | the security team can assist with this coordination, or the reporter can | |
| 70 | include linux-distros from the start. In this case, remember to prefix | |
| 71 | the email Subject line with "[vs]" as described in the linux-distros wiki: | |
| 72 | <http://oss-security.openwall.org/wiki/mailing-lists/distros#how-to-use-the-lists> | |
| 73 | ||
| 74 | CVE assignment | |
| 75 | -------------- | |
| 76 | ||
| 77 | The security team does not normally assign CVEs, nor do we require them | |
| 78 | for reports or fixes, as this can needlessly complicate the process and | |
| 79 | may delay the bug handling. If a reporter wishes to have a CVE identifier | |
| 80 | assigned ahead of public disclosure, they will need to contact the private | |
| 81 | linux-distros list, described above. When such a CVE identifier is known | |
| 82 | before a patch is provided, it is desirable to mention it in the commit | |
| 14fdc2c5 | 83 | message if the reporter agrees. |
| 49978be7 | 84 | |
| 9d85025b MCC |
85 | Non-disclosure agreements |
| 86 | ------------------------- | |
| 1da177e4 LT |
87 | |
| 88 | The Linux kernel security team is not a formal body and therefore unable | |
| 89 | to enter any non-disclosure agreements. |