On Tue, Mar 6, 2018 at 3:31 PM, Dave Hansen <dave.han...@linux.intel.com> wrote: > > I think we need to soften the language a bit. It might scare folks > off, especially the: > > We prefer to fully disclose the bug as soon as possible. > > which is not really the case.
Ack. What we do is definitely not full disclosure. In fact, we often actively try to avoid disclosing details and leave that entirely to others. We disclose the *patches*, and the explanation of the patch, but not necessarily anything else (ie no exploit code or even any exploit discussion). We also don't explicitly disclose the discussion of the patches or the report, although part of it mayt obviously become more or less public for other reasons. So we should probably avoid using a term that means something else to a lot of people. And for similar reasons, I don't think the fixed verbiage should use "coordinated disclosure" either, like in your patch. That usually means the kind of embargoes that the security list does not honor. So I think it merits clarification, but maybe just specify the two things relevant to our disclosure: the fact that the patch and explanation for the patch gets made public (but not necessarily other effects), and that the timeframe is very limited. It's not full disclosure, it's not coordinated disclosure, and it's not "no disclosure". It's more like just "timely open fixes". Linus