From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124]) by inbox.dpdk.org (Postfix) with ESMTP id 96E55A052A; Mon, 25 Jan 2021 02:57:42 +0100 (CET) Received: from [217.70.189.124] (localhost [127.0.0.1]) by mails.dpdk.org (Postfix) with ESMTP id 1464C140DA3; Mon, 25 Jan 2021 02:57:42 +0100 (CET) Received: from mga03.intel.com (mga03.intel.com [134.134.136.65]) by mails.dpdk.org (Postfix) with ESMTP id 72E82140DA1 for ; Mon, 25 Jan 2021 02:57:40 +0100 (CET) IronPort-SDR: cV1xULcKU8iR0j2uib3jW1N9pa2+HqbEbT4BR15otaUaN+jsHNmdsBG4pVngpawsUuhd2K748E cSkSUYlrlECA== X-IronPort-AV: E=McAfee;i="6000,8403,9874"; a="179729948" X-IronPort-AV: E=Sophos;i="5.79,372,1602572400"; d="scan'208";a="179729948" Received: from orsmga001.jf.intel.com ([10.7.209.18]) by orsmga103.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 24 Jan 2021 17:57:39 -0800 IronPort-SDR: 32KH1nmGU+iKaIMVYr2vdcrN60NCh+OqAQ6F9NtJ2wKiYDArs5ZILlWaVCV4ufN1hEUWI/fKO1 pJMIVA1o4evQ== X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.79,372,1602572400"; d="scan'208";a="429013011" Received: from npg-dpdk-virtual-marvin-dev.sh.intel.com ([10.67.119.108]) by orsmga001.jf.intel.com with ESMTP; 24 Jan 2021 17:57:36 -0800 From: Marvin Liu To: ferruh.yigit@intel.com, stephen@networkplumber.org, thomas@monjalon.net, maxime.coquelin@redhat.com, qian.q.xu@intel.com Cc: dev@dpdk.org, Marvin Liu Date: Mon, 25 Jan 2021 09:57:36 +0800 Message-Id: <20210125015736.7555-1-yong.liu@intel.com> X-Mailer: git-send-email 2.17.1 Subject: [dpdk-dev] [PATCH] doc: clarify disclosure time slot when no response X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org Sender: "dev" Sometimes security team won't send confirmation mail back to reporter in three business days. This mean reported vulnerability is either low severity or not a real vulnerability. Reporter should assume that the issue need shortest embargo. After that reporter can submit it through normal bugzilla process or send out fix patch to public. Signed-off-by: Marvin Liu Signed-off-by: Qian Xu diff --git a/doc/guides/contributing/vulnerability.rst b/doc/guides/contributing/vulnerability.rst index b6300252ad..cda814fa69 100644 --- a/doc/guides/contributing/vulnerability.rst +++ b/doc/guides/contributing/vulnerability.rst @@ -99,6 +99,11 @@ Following information must be included in the mail: * Reporter credit * Bug ID (empty and restricted for future reference) +If no confirmation mail send back to reporter in this period, thus mean security +team take this vulnerability as low severity. Furthermore shortest embargo **two weeks** +is required for it. Reporter can sumbit the bug through normal process or send +out patch to public. + CVE Request ----------- -- 2.17.1