Documentation: clarify the expected collaboration with security bugs reporters

author Willy Tarreau <w@1wt.eu>

Thu, 14 Aug 2025 19:27:29 +0000 (21:27 +0200)

committer Greg Kroah-Hartman <gregkh@linuxfoundation.org>

Sun, 17 Aug 2025 10:23:28 +0000 (12:23 +0200)
author Willy Tarreau <w@1wt.eu>
Thu, 14 Aug 2025 19:27:29 +0000 (21:27 +0200)
committer Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Sun, 17 Aug 2025 10:23:28 +0000 (12:23 +0200)
diff --git a/Documentation/process/security-bugs.rst b/Documentation/process/security-bugs.rst

index 56c560a00b37a6a3e99a7d9edaa45a103d7398bb..7dcc034d3df8ed65b322580961fe1dc86dc7c446 100644 (file)
--- a/Documentation/process/security-bugs.rst
+++ b/Documentation/process/security-bugs.rst
@@ -19,6 +19,16 @@ that can speed up the process considerably.  It is possible that the
  security team will bring in extra help from area maintainers to
  understand and fix the security vulnerability.
  
+The security team and maintainers almost always require additional
+information beyond what was initially provided in a report and rely on
+active and efficient collaboration with the reporter to perform further
+testing (e.g., verifying versions, configuration options, mitigations, or
+patches). Before contacting the security team, the reporter must ensure
+they are available to explain their findings, engage in discussions, and
+run additional tests.  Reports where the reporter does not respond promptly
+or cannot effectively discuss their findings may be abandoned if the
+communication does not quickly improve.
+
  As it is with any bug, the more information provided the easier it
  will be to diagnose and fix.  Please review the procedure outlined in
  'Documentation/admin-guide/reporting-issues.rst' if you are unclear about what
author	Willy Tarreau <w@1wt.eu>
	Thu, 14 Aug 2025 19:27:29 +0000 (21:27 +0200)
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	Sun, 17 Aug 2025 10:23:28 +0000 (12:23 +0200)