What constitutes disclosure of a kernel vulnerability?

Posted Jun 4, 2022 5:57 UTC (Sat) by wtarreau (subscriber, #51152)
In reply to: What constitutes disclosure of a kernel vulnerability? by error27
Parent article: What constitutes disclosure of a kernel vulnerability?

[note that I'm also on the security list]

I used to think a list whose archives become public after some time would be a solution, but after so much time spent dealing with bug reports I changed my mind. The reason is the material that are provided by reporters. When they're security researchers we don't care, they do it for the purpose that it becomes public and sometimes even makes them famous. But for normal bugs reported from the field, that would seriously limit the material shared by the reporters. We could get a network trace, a binary program that triggers the bug and that we're not allowed to share, or a copy-paste of a part of a function from an internal program that's not opensource. And for many companies there is a big difference between sharing some material with a small trusted team (as they do with a vendor support team) and sharing their material with the whole world.

And here the problem that is experienced by the kernel security list precisely is: how to contact vendors to share enough info with them to permit them to test their code and backports without sharing with the world some material we're not allowed to publish. oss-sec is too open, linux-distros is too strict. In fact linux-distros cannot serve to share info but to coordinate disclosure.

If we would see these lists as network protocols, oss-sec is broadcast over a datagram protocol and linux-distros is session-oriented and unicast. We don't have the unicast datagram protocol we need to notify vendors.

What constitutes disclosure of a kernel vulnerability?

Posted Jun 6, 2022 6:12 UTC (Mon) by error27 (subscriber, #8346) [Link] (1 responses)

I also thought about if we could add vendors to s@k.o but that doesn't work. The job of figuring out severity and dealing with releases is totally different from just fixing the code.

Meanwhile this discussion is all driven by s@k.o and not by the distros. It's Greg telling people to ignore the linux-distro rules to get the information out there. Maybe the distributions are happy with the status quo? Perhaps something to discuss at Linux Plumbers.

What constitutes disclosure of a kernel vulnerability?

Posted Jun 6, 2022 16:57 UTC (Mon) by wtarreau (subscriber, #51152) [Link]

There's currently an ongoing discussion started by Vegard on LKML on this subject. I think that the situation is far from being bad, it's just that we're getting used to the repetition of annoyances, which tends to emphasize the problems. However we must absolutely improve the process because right now it is extremely confusing for reporters, and being directed to linux-distros is stressful to them once they're told that the time counter is engaged and they must do a lot of stuff. It needs to be smoother for them, including the first approach which should be to avoid using closed lists for non-important stuff.

It's visible from the reports that most reporters at least hover on the doc, so once an optimal and smooth approach is figured, I think it will result in less surprises for reporters and less friction for everyone.