I note the absence of anything in Documentation/SecurityBugs binding the
Linux kernel hackers to *anything*. All it describes is the way that bugs
sent to the *kernel security team* are managed. I see nothing that says
that security bugs described anywhere *else* need to be handled in any
particular way, or that anyone else involved with the kernel needs to pay
the document any attention at all.
(Perhaps the file needs to say more clearly that this is not a security
policy for the kernel, just a place to which people can report security
bugs if they'd rather not get the standard Linus kill-it-now approach.)
I think this has all been a giant misreading from the start.