[dpdk-dev] [PATCH] doc: clarify disclosure time slot when no response

[Stephen Hemminger]

On Thu, 25 Feb 2021 14:14:29 +0000
Ferruh Yigit <ferruh.yigit at intel.com> wrote:

> On 2/2/2021 11:28 AM, Ferruh Yigit wrote:
> > On 1/25/2021 1:57 AM, Marvin Liu wrote:  
> >> Sometimes security team won't send confirmation mail back to reporter
> >> in three business days. This mean reported vulnerability is either low
> >> severity or not a real vulnerability. Reporter should assume that the
> >> issue need shortest embargo. After that reporter can submit it through
> >> normal bugzilla process or send out fix patch to public.
> >>
> >> Signed-off-by: Marvin Liu <yong.liu at intel.com>
> >> Signed-off-by: Qian Xu <qian.q.xu at intel.com>
> >>
> >> diff --git a/doc/guides/contributing/vulnerability.rst 
> >> b/doc/guides/contributing/vulnerability.rst
> >> index b6300252ad..cda814fa69 100644
> >> --- a/doc/guides/contributing/vulnerability.rst
> >> +++ b/doc/guides/contributing/vulnerability.rst
> >> @@ -99,6 +99,11 @@ Following information must be included in the mail:
> >>   * Reporter credit
> >>   * Bug ID (empty and restricted for future reference)
> >> +If no confirmation mail send back to reporter in this period, thus mean security
> >> +team take this vulnerability as low severity. Furthermore shortest embargo 
> >> **two weeks**
> >> +is required for it. Reporter can sumbit the bug through normal process or send
> >> +out patch to public.
> >> +  
> > 
> > Agree to not block the fixes, it is defeating the purpose to have a 
> > vulnerability process.  
> 
> The patch is out for a while and there is no objection so far, I suggest just 
> keep continue with the fixes stuck in the process.

Marking this patch as rejected. Open to future wording/process changes here
but it didn't seem necessary and no consensus in several years