From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124]) by inbox.dpdk.org (Postfix) with ESMTP id 7BA0242CC8; Thu, 15 Jun 2023 18:17:36 +0200 (CEST) Received: from mails.dpdk.org (localhost [127.0.0.1]) by mails.dpdk.org (Postfix) with ESMTP id 678C640E0F; Thu, 15 Jun 2023 18:17:36 +0200 (CEST) Received: from mail-pl1-f170.google.com (mail-pl1-f170.google.com [209.85.214.170]) by mails.dpdk.org (Postfix) with ESMTP id DB92440A8B for ; Thu, 15 Jun 2023 18:17:35 +0200 (CEST) Received: by mail-pl1-f170.google.com with SMTP id d9443c01a7336-1b3ce6607cbso39094125ad.2 for ; Thu, 15 Jun 2023 09:17:35 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=networkplumber-org.20221208.gappssmtp.com; s=20221208; t=1686845855; x=1689437855; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:subject:cc:to:from:date:from:to:cc:subject:date :message-id:reply-to; bh=HCnGpRPBmnwP9peMHvJn38rrqDbCh65OYGaQaHnpoOQ=; b=SDnjBDE/ozlvS2/IEbWdCFLKFSGNtNStUshY/RTtHpUn0izyGU7lL3MQv9qFjEB4Ve LxNEOQkMMgnnYOQ3HRgIFpeLZkFHpfRN7vVzFZ3e7CylU6/YulIk+BBkyySrQdQ1Gbl+ UBcL/DBlvjOKkr9VGVWHYqeLsl+b1S+8bMA8CMiLOMWV2AuBX6+aQ57lEHA6uMFV8WQS 6oIWkTqal7qNLjh3jPHSQu2uidOi2EtVvz8kMxS596jZi9wXIkRDnpf1SzLS5Dp1eprj legYH8IlEk5oz+ZyqkHY/yEpvV5Cb/3SrakH96YKqrL3prHOEJ8Ld2/1F68DDWAawAql N3/Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1686845855; x=1689437855; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:subject:cc:to:from:date:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=HCnGpRPBmnwP9peMHvJn38rrqDbCh65OYGaQaHnpoOQ=; b=Z1SHw64SWJlzVIhJ4M5hARIsdzvmWIqKZrzdAxa8MaVsGckrCyuapu1QJ3vRES0Tpv D0aJSreo2iMV7OReckMxFsxysz/sqagfaXuAUvIQTWl2D6ZDaiVdHUBTO2mGIF+/tZZS kIlWe2oD+Hd0OvBHvVxoPUxnBt9X9gZXo0s8vl5BxFllrhFBF2uNfr8zjinQhvms13yB 6AZtm6Uxky8l625Bgf/WiTkVh/1swjxGYcf0XzAMoDA+pH0DcwPhN7aEuzlc6bJf8pJQ 84FUpo5sg5m09LqZJMlfeYfM6tUEBDMSwuyz0vF6iIDS++ch56r92o/d1Z8PdA0LVUle zuzA== X-Gm-Message-State: AC+VfDzw59ehoiOr9Yo+4o7+8boIjftsbulBN62Ail+BBGs9+cgER0PU xiRy2iIK1sFu7YBT0Tzmz4WBIQ== X-Google-Smtp-Source: ACHHUZ4pa/Jnl2uuVSoolh1X+rQ76VGNpoCCHjO6MZI/0GhfGUvrXnWelt3VsTB5nKpQL4UCixfOxw== X-Received: by 2002:a17:903:1105:b0:1b3:f572:397f with SMTP id n5-20020a170903110500b001b3f572397fmr8417816plh.34.1686845854882; Thu, 15 Jun 2023 09:17:34 -0700 (PDT) Received: from hermes.local (204-195-120-218.wavecable.com. [204.195.120.218]) by smtp.gmail.com with ESMTPSA id s11-20020a170902ea0b00b001b045c9abd2sm14239884plg.143.2023.06.15.09.17.34 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 15 Jun 2023 09:17:34 -0700 (PDT) Date: Thu, 15 Jun 2023 09:17:32 -0700 From: Stephen Hemminger To: Ferruh Yigit Cc: Marvin Liu , thomas@monjalon.net, maxime.coquelin@redhat.com, qian.q.xu@intel.com, dev@dpdk.org Subject: Re: [dpdk-dev] [PATCH] doc: clarify disclosure time slot when no response Message-ID: <20230615091732.750f8879@hermes.local> In-Reply-To: References: <20210125015736.7555-1-yong.liu@intel.com> <67154af1-a00e-2572-5ae9-75d965ab3169@intel.com> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org On Thu, 25 Feb 2021 14:14:29 +0000 Ferruh Yigit wrote: > On 2/2/2021 11:28 AM, Ferruh Yigit wrote: > > On 1/25/2021 1:57 AM, Marvin Liu wrote: =20 > >> Sometimes security team won't send confirmation mail back to reporter > >> in three business days. This mean reported vulnerability is either low > >> severity or not a real vulnerability. Reporter should assume that the > >> issue need shortest embargo. After that reporter can submit it through > >> normal bugzilla process or send out fix patch to public. > >> > >> Signed-off-by: Marvin Liu > >> Signed-off-by: Qian Xu > >> > >> diff --git a/doc/guides/contributing/vulnerability.rst=20 > >> b/doc/guides/contributing/vulnerability.rst > >> index b6300252ad..cda814fa69 100644 > >> --- a/doc/guides/contributing/vulnerability.rst > >> +++ b/doc/guides/contributing/vulnerability.rst > >> @@ -99,6 +99,11 @@ Following information must be included in the mail: > >> =C2=A0 * Reporter credit > >> =C2=A0 * Bug ID (empty and restricted for future reference) > >> +If no confirmation mail send back to reporter in this period, thus me= an security > >> +team take this vulnerability as low severity. Furthermore shortest em= bargo=20 > >> **two weeks** > >> +is required for it. Reporter can sumbit the bug through normal proces= s or send > >> +out patch to public. > >> + =20 > >=20 > > Agree to not block the fixes, it is defeating the purpose to have a=20 > > vulnerability process. =20 >=20 > The patch is out for a while and there is no objection so far, I suggest = just=20 > keep continue with the fixes stuck in the process. Marking this patch as rejected. Open to future wording/process changes here but it didn't seem necessary and no consensus in several years