From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-13.7 required=3.0 tests=BAYES_00, HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id B7FBAC433E0 for ; Tue, 2 Feb 2021 11:28:19 +0000 (UTC) Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124]) by mail.kernel.org (Postfix) with ESMTP id 2A40564F4F for ; Tue, 2 Feb 2021 11:28:19 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 2A40564F4F Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=intel.com Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=dev-bounces@dpdk.org Received: from [217.70.189.124] (localhost [127.0.0.1]) by mails.dpdk.org (Postfix) with ESMTP id 3FDA624025D; Tue, 2 Feb 2021 12:28:18 +0100 (CET) Received: from mga01.intel.com (mga01.intel.com [192.55.52.88]) by mails.dpdk.org (Postfix) with ESMTP id 3C76E240252 for ; Tue, 2 Feb 2021 12:28:16 +0100 (CET) IronPort-SDR: B3yA61h4UcqLyX3WLGEld+oRKuNc7Rl+q8CJUVPkGXYlh58ZVDMs0Z1pMFso1YETv8pFH5Oj9G /5+IZ9UptaOQ== X-IronPort-AV: E=McAfee;i="6000,8403,9882"; a="199755256" X-IronPort-AV: E=Sophos;i="5.79,394,1602572400"; d="scan'208";a="199755256" Received: from orsmga008.jf.intel.com ([10.7.209.65]) by fmsmga101.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 02 Feb 2021 03:28:15 -0800 IronPort-SDR: M1RbsGUom24UtE0BPzT1E4o1rwbw6ARGPIuMvrAnwVsLVLTjqoe5/6e2Dr73ejV7txlr4xpVwQ +A4q/loK39PA== X-IronPort-AV: E=Sophos;i="5.79,394,1602572400"; d="scan'208";a="391419355" Received: from fyigit-mobl1.ger.corp.intel.com (HELO [10.213.226.112]) ([10.213.226.112]) by orsmga008-auth.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 02 Feb 2021 03:28:13 -0800 To: Marvin Liu , stephen@networkplumber.org, thomas@monjalon.net, maxime.coquelin@redhat.com, qian.q.xu@intel.com Cc: dev@dpdk.org References: <20210125015736.7555-1-yong.liu@intel.com> From: Ferruh Yigit Message-ID: <67154af1-a00e-2572-5ae9-75d965ab3169@intel.com> Date: Tue, 2 Feb 2021 11:28:09 +0000 MIME-Version: 1.0 In-Reply-To: <20210125015736.7555-1-yong.liu@intel.com> Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 8bit Subject: Re: [dpdk-dev] [PATCH] doc: clarify disclosure time slot when no response X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org Sender: "dev" On 1/25/2021 1:57 AM, Marvin Liu wrote: > Sometimes security team won't send confirmation mail back to reporter > in three business days. This mean reported vulnerability is either low > severity or not a real vulnerability. Reporter should assume that the > issue need shortest embargo. After that reporter can submit it through > normal bugzilla process or send out fix patch to public. > > Signed-off-by: Marvin Liu > Signed-off-by: Qian Xu > > diff --git a/doc/guides/contributing/vulnerability.rst b/doc/guides/contributing/vulnerability.rst > index b6300252ad..cda814fa69 100644 > --- a/doc/guides/contributing/vulnerability.rst > +++ b/doc/guides/contributing/vulnerability.rst > @@ -99,6 +99,11 @@ Following information must be included in the mail: > * Reporter credit > * Bug ID (empty and restricted for future reference) > > +If no confirmation mail send back to reporter in this period, thus mean security > +team take this vulnerability as low severity. Furthermore shortest embargo **two weeks** > +is required for it. Reporter can sumbit the bug through normal process or send > +out patch to public. > + Agree to not block the fixes, it is defeating the purpose to have a vulnerability process.