On Sun, May 03, 2026 at 01:35:05PM +0200, Willy Tarreau wrote: > The use of automated tools to find bugs in random locations of the kernel > induces a raise of security reports even if most of them should just be > reported as regular bugs. This patch is an attempt at drawing a line > between what qualifies as a security bug and what does not, hoping to > improve the situation and ease decision on the reporter's side. > > It defers the enumeration to a new file, threat-model.rst, that tries > to enumerate various classes of issues that are and are not security > bugs. This should permit to more easily update this file for various > subsystem-specific rules without having to revisit the security bug > reporting guide. > > Cc: Greg KH <[email protected]> > Cc: Leon Romanovsky <[email protected]> > Suggested-by: Leon Romanovsky <[email protected]> > Suggested-by: Greg KH <[email protected]> > Signed-off-by: Willy Tarreau <[email protected]> > --- > Documentation/process/index.rst | 1 + > Documentation/process/security-bugs.rst | 28 +++ > Documentation/process/threat-model.rst | 231 ++++++++++++++++++++++++ > 3 files changed, 260 insertions(+) > create mode 100644 Documentation/process/threat-model.rst
Thanks, Reviewed-by: Leon Romanovsky <[email protected]>
