On Thu, 25 Feb 2021 14:14:29 +0000 Ferruh Yigit <[email protected]> wrote:
> On 2/2/2021 11:28 AM, Ferruh Yigit wrote: > > On 1/25/2021 1:57 AM, Marvin Liu wrote: > >> Sometimes security team won't send confirmation mail back to reporter > >> in three business days. This mean reported vulnerability is either low > >> severity or not a real vulnerability. Reporter should assume that the > >> issue need shortest embargo. After that reporter can submit it through > >> normal bugzilla process or send out fix patch to public. > >> > >> Signed-off-by: Marvin Liu <[email protected]> > >> Signed-off-by: Qian Xu <[email protected]> > >> > >> diff --git a/doc/guides/contributing/vulnerability.rst > >> b/doc/guides/contributing/vulnerability.rst > >> index b6300252ad..cda814fa69 100644 > >> --- a/doc/guides/contributing/vulnerability.rst > >> +++ b/doc/guides/contributing/vulnerability.rst > >> @@ -99,6 +99,11 @@ Following information must be included in the mail: > >> * Reporter credit > >> * Bug ID (empty and restricted for future reference) > >> +If no confirmation mail send back to reporter in this period, thus mean > >> security > >> +team take this vulnerability as low severity. Furthermore shortest > >> embargo > >> **two weeks** > >> +is required for it. Reporter can sumbit the bug through normal process or > >> send > >> +out patch to public. > >> + > > > > Agree to not block the fixes, it is defeating the purpose to have a > > vulnerability process. > > The patch is out for a while and there is no objection so far, I suggest just > keep continue with the fixes stuck in the process. Marking this patch as rejected. Open to future wording/process changes here but it didn't seem necessary and no consensus in several years
