From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124]) by inbox.dpdk.org (Postfix) with ESMTP id B20DA42882; Fri, 31 Mar 2023 12:38:26 +0200 (CEST) Received: from mails.dpdk.org (localhost [127.0.0.1]) by mails.dpdk.org (Postfix) with ESMTP id 9C9B942D1A; Fri, 31 Mar 2023 12:38:26 +0200 (CEST) Received: from out5-smtp.messagingengine.com (out5-smtp.messagingengine.com [66.111.4.29]) by mails.dpdk.org (Postfix) with ESMTP id F1AF042D17 for ; Fri, 31 Mar 2023 12:38:25 +0200 (CEST) Received: from compute1.internal (compute1.nyi.internal [10.202.2.41]) by mailout.nyi.internal (Postfix) with ESMTP id A31C15C00C2; Fri, 31 Mar 2023 06:38:25 -0400 (EDT) Received: from mailfrontend1 ([10.202.2.162]) by compute1.internal (MEProxy); Fri, 31 Mar 2023 06:38:25 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=monjalon.net; h= cc:cc:content-transfer-encoding:content-type:content-type:date :date:from:from:in-reply-to:in-reply-to:message-id:mime-version :references:reply-to:sender:subject:subject:to:to; s=fm2; t= 1680259105; x=1680345505; bh=F31E/4PrDz1TKpqztpCfY+lTNdQM7hlNIC4 dU0WRCtc=; b=icyS3y4Y/jB7CTd5IrnkBeW/V5qHRBH2a0UH6U+H5+RZGMGVr/z gCLmXIVXbP5xbMhjbBNGHyguWxbYXTnfFCIFNCsH06zcTX6vlFoaFPJK684wZyiv HkYJbmpp7bB+t8ggcnR+IsI+qpflUFc1oDkgZYBXOuvDKIAGlfZt/YGVmTNhRrxz /r8aWEP0DjfVq3bEIgGeMhhmmJN4m91rhLmvwNvb+kehsr6BoZS1TDvNW+aUFgw+ 6JhuthXGL4qY2UhZWIzsyKC0ddJccNAIUo1QBicouE5z2Mh3hzqjMyeu/UIz6hXg q5iUDQmY6ZHdYk8sJ8r8HTRC9EF26bW7q1Q== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:cc:content-transfer-encoding :content-type:content-type:date:date:feedback-id:feedback-id :from:from:in-reply-to:in-reply-to:message-id:mime-version :references:reply-to:sender:subject:subject:to:to:x-me-proxy :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm2; t= 1680259105; x=1680345505; bh=F31E/4PrDz1TKpqztpCfY+lTNdQM7hlNIC4 dU0WRCtc=; b=gtraFICMzyg6Cf9RnpEHNpc04/w6VIHMjFD7NJWY8S6TKV0AP/4 e1tlpgEihRcEmYHgfpCJMGGScgHkHYvLvEv36UwxPp9rJCyPwKqyYUFbafXo49x4 OKwVU9uxw7AnSejs4dngSnj+UgBTOP3n7KHzTROG9WPuqKupAMgjVHD1S+d/xtjw BQaxnxpiUQObYp/ySBgkQmdFDOgcmO34dMVotVCRAQYkzkybPfG2VRa0MkyJvPEP fvI8h3cLVZMU2nD+VnQ0lBwsjCmFgdT2tmAB/gWUtdvFDUtBw6URhqjoCStYoPOC sH9rmK1SIi1Pdj1edu4BlYn+eTDpBTmGJuw== X-ME-Sender: X-ME-Received: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvhedrvdeiuddgvdejucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucenucfjughrpefhvfevufffkfgjfhgggfgtsehtuf ertddttddvnecuhfhrohhmpefvhhhomhgrshcuofhonhhjrghlohhnuceothhhohhmrghs sehmohhnjhgrlhhonhdrnhgvtheqnecuggftrfgrthhtvghrnheptdejieeifeehtdffgf dvleetueeffeehueejgfeuteeftddtieekgfekudehtdfgnecuvehluhhsthgvrhfuihii vgeptdenucfrrghrrghmpehmrghilhhfrhhomhepthhhohhmrghssehmohhnjhgrlhhonh drnhgvth X-ME-Proxy: Feedback-ID: i47234305:Fastmail Received: by mail.messagingengine.com (Postfix) with ESMTPA; Fri, 31 Mar 2023 06:38:24 -0400 (EDT) From: Thomas Monjalon To: ferruh.yigit@intel.com, stephen@networkplumber.org, maxime.coquelin@redhat.com Cc: qian.q.xu@intel.com, dev@dpdk.org, Marvin Liu , david.marchand@redhat.com, "cheng.jiang@intel.com" Subject: Re: [dpdk-dev] [PATCH] doc: clarify disclosure time slot when no response Date: Fri, 31 Mar 2023 12:38:23 +0200 Message-ID: <7914272.ejJDZkT8p0@thomas> In-Reply-To: <20210125015736.7555-1-yong.liu@intel.com> References: <20210125015736.7555-1-yong.liu@intel.com> MIME-Version: 1.0 Content-Transfer-Encoding: 7Bit Content-Type: text/plain; charset="us-ascii" X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org 25/01/2021 02:57, Marvin Liu: > Sometimes security team won't send confirmation mail back to reporter > in three business days. This mean reported vulnerability is either low > severity or not a real vulnerability. Reporter should assume that the > issue need shortest embargo. After that reporter can submit it through > normal bugzilla process or send out fix patch to public. > > Signed-off-by: Marvin Liu > Signed-off-by: Qian Xu > > diff --git a/doc/guides/contributing/vulnerability.rst b/doc/guides/contributing/vulnerability.rst > index b6300252ad..cda814fa69 100644 > --- a/doc/guides/contributing/vulnerability.rst > +++ b/doc/guides/contributing/vulnerability.rst > @@ -99,6 +99,11 @@ Following information must be included in the mail: > * Reporter credit > * Bug ID (empty and restricted for future reference) > > +If no confirmation mail send back to reporter in this period, thus mean security > +team take this vulnerability as low severity. Furthermore shortest embargo **two weeks** > +is required for it. Reporter can sumbit the bug through normal process or send sumbit -> submit > +out patch to public. Do we agree on the principle? Does it require a bit of rewriting?