xref: /linux/Documentation/process/security-bugs.rst (revision e2683c8868d03382da7e1ce8453b543a043066d1) 
1.. _securitybugs:
2
3Security bugs
4=============
5
6Linux kernel developers take security very seriously.  As such, we'd
7like to know when a security bug is found so that it can be fixed and
8disclosed as quickly as possible.
9
10Preparing your report
11---------------------
12
13Like with any bug report, a security bug report requires a lot of analysis work
14from the developers, so the more information you can share about the issue, the
15better.  Please review the procedure outlined in
16Documentation/admin-guide/reporting-issues.rst if you are unclear about what
17information is helpful.  The following information are absolutely necessary in
18**any** security bug report:
19
20  * **affected kernel version range**: with no version indication, your report
21    will not be processed.  A significant part of reports are for bugs that
22    have already been fixed, so it is extremely important that vulnerabilities
23    are verified on recent versions (development tree or latest stable
24    version), at least by verifying that the code has not changed since the
25    version where it was detected.
26
27  * **description of the problem**: a detailed description of the problem, with
28    traces showing its manifestation, and why you consider that the observed
29    behavior as a problem in the kernel, is necessary.
30
31  * **reproducer**: developers will need to be able to reproduce the problem to
32    consider a fix as effective.  This includes both a way to trigger the issue
33    and a way to confirm it happens.  A reproducer with low complexity
34    dependencies will be needed (source code, shell script, sequence of
35    instructions, file-system image etc).  Binary-only executables are not
36    accepted.  Working exploits are extremely helpful and will not be released
37    without consent from the reporter, unless they are already public.  By
38    definition if an issue cannot be reproduced, it is not exploitable, thus it
39    is not a security bug.
40
41  * **conditions**: if the bug depends on certain configuration options,
42    sysctls, permissions, timing, code modifications etc, these should be
43    indicated.
44
45In addition, the following information are highly desirable:
46
47  * **suspected location of the bug**: the file names and functions where the
48    bug is suspected to be present are very important, at least to help forward
49    the report to the appropriate maintainers.  When not possible (for example,
50    "system freezes each time I run this command"), the security team will help
51    identify the source of the bug.
52
53  * **a proposed fix**: bug reporters who have analyzed the cause of a bug in
54    the source code almost always have an accurate idea on how to fix it,
55    because they spent a long time studying it and its implications.  Proposing
56    a tested fix will save maintainers a lot of time, even if the fix ends up
57    not being the right one, because it helps understand the bug.  When
58    proposing a tested fix, please always format it in a way that can be
59    immediately merged (see Documentation/process/submitting-patches.rst).
60    This will save some back-and-forth exchanges if it is accepted, and you
61    will be credited for finding and fixing this issue.  Note that in this case
62    only a ``Signed-off-by:`` tag is needed, without ``Reported-by:`` when the
63    reporter and author are the same.
64
65  * **mitigations**: very often during a bug analysis, some ways of mitigating
66    the issue appear. It is useful to share them, as they can be helpful to
67    keep end users protected during the time it takes them to apply the fix.
68
69Identifying contacts
70--------------------
71
72The most effective way to report a security bug is to send it directly to the
73affected subsystem's maintainers and Cc: the Linux kernel security team.  Do
74not send it to a public list at this stage, unless you have good reasons to
75consider the issue as being public or trivial to discover (e.g. result of a
76widely available automated vulnerability scanning tool that can be repeated by
77anyone).
78
79If you're sending a report for issues affecting multiple parts in the kernel,
80even if they're fairly similar issues, please send individual messages (think
81that maintainers will not all work on the issues at the same time). The only
82exception is when an issue concerns closely related parts maintained by the
83exact same subset of maintainers, and these parts are expected to be fixed all
84at once by the same commit, then it may be acceptable to report them at once.
85
86One difficulty for most first-time reporters is to figure the right list of
87recipients to send a report to.  In the Linux kernel, all official maintainers
88are trusted, so the consequences of accidentally including the wrong maintainer
89are essentially a bit more noise for that person, i.e. nothing dramatic.  As
90such, a suitable method to figure the list of maintainers (which kernel
91security officers use) is to rely on the get_maintainer.pl script, tuned to
92only report maintainers.  This script, when passed a file name, will look for
93its path in the MAINTAINERS file to figure a hierarchical list of relevant
94maintainers.  Calling it a first time with the finest level of filtering will
95most of the time return a short list of this specific file's maintainers::
96
97  $ ./scripts/get_maintainer.pl --no-l --no-r --pattern-depth 1 \
98    drivers/example.c
99  Developer One <dev1@example.com> (maintainer:example driver)
100  Developer Two <dev2@example.org> (maintainer:example driver)
101
102These two maintainers should then receive the message.  If the command does not
103return anything, it means the affected file is part of a wider subsystem, so we
104should be less specific::
105
106  $ ./scripts/get_maintainer.pl --no-l --no-r drivers/example.c
107  Developer One <dev1@example.com> (maintainer:example subsystem)
108  Developer Two <dev2@example.org> (maintainer:example subsystem)
109  Developer Three <dev3@example.com> (maintainer:example subsystem [GENERAL])
110  Developer Four <dev4@example.org> (maintainer:example subsystem [GENERAL])
111
112Here, picking the first, most specific ones, is sufficient.  When the list is
113long, it is possible to produce a comma-delimited e-mail address list on a
114single line suitable for use in the To: field of a mailer like this::
115
116  $ ./scripts/get_maintainer.pl --no-tree --no-l --no-r --no-n --m \
117    --no-git-fallback --no-substatus --no-rolestats --no-multiline \
118    --pattern-depth 1 drivers/example.c
119  dev1@example.com, dev2@example.org
120
121or this for the wider list::
122
123  $ ./scripts/get_maintainer.pl --no-tree --no-l --no-r --no-n --m \
124    --no-git-fallback --no-substatus --no-rolestats --no-multiline \
125    drivers/example.c
126  dev1@example.com, dev2@example.org, dev3@example.com, dev4@example.org
127
128If at this point you're still facing difficulties spotting the right
129maintainers, **and only in this case**, it's possible to send your report to
130the Linux kernel security team only.  Your message will be triaged, and you
131will receive instructions about whom to contact, if needed.  Your message may
132equally be forwarded as-is to the relevant maintainers.
133
134Sending the report
135------------------
136
137Reports are to be sent over e-mail exclusively.  Please use a working e-mail
138address, preferably the same that you want to appear in ``Reported-by`` tags
139if any.  If unsure, send your report to yourself first.
140
141The security team and maintainers almost always require additional
142information beyond what was initially provided in a report and rely on
143active and efficient collaboration with the reporter to perform further
144testing (e.g., verifying versions, configuration options, mitigations, or
145patches). Before contacting the security team, the reporter must ensure
146they are available to explain their findings, engage in discussions, and
147run additional tests.  Reports where the reporter does not respond promptly
148or cannot effectively discuss their findings may be abandoned if the
149communication does not quickly improve.
150
151The report must be sent to maintainers, with the security team in ``Cc:``.
152The Linux kernel security team can be contacted by email at
153<security@kernel.org>.  This is a private list of security officers
154who will help verify the bug report and assist developers working on a fix.
155It is possible that the security team will bring in extra help from area
156maintainers to understand and fix the security vulnerability.
157
158Please send **plain text** emails without attachments where possible.
159It is much harder to have a context-quoted discussion about a complex
160issue if all the details are hidden away in attachments.  Think of it like a
161:doc:`regular patch submission <../process/submitting-patches>`
162(even if you don't have a patch yet): describe the problem and impact, list
163reproduction steps, and follow it with a proposed fix, all in plain text.
164Markdown, HTML and RST formatted reports are particularly frowned upon since
165they're quite hard to read for humans and encourage to use dedicated viewers,
166sometimes online, which by definition is not acceptable for a confidential
167security report. Note that some mailers tend to mangle formatting of plain
168text by default, please consult Documentation/process/email-clients.rst for
169more info.
170
171Disclosure and embargoed information
172------------------------------------
173
174The security list is not a disclosure channel.  For that, see Coordination
175below.
176
177Once a robust fix has been developed, the release process starts.  Fixes
178for publicly known bugs are released immediately.
179
180Although our preference is to release fixes for publicly undisclosed bugs
181as soon as they become available, this may be postponed at the request of
182the reporter or an affected party for up to 7 calendar days from the start
183of the release process, with an exceptional extension to 14 calendar days
184if it is agreed that the criticality of the bug requires more time.  The
185only valid reason for deferring the publication of a fix is to accommodate
186the logistics of QA and large scale rollouts which require release
187coordination.
188
189While embargoed information may be shared with trusted individuals in
190order to develop a fix, such information will not be published alongside
191the fix or on any other disclosure channel without the permission of the
192reporter.  This includes but is not limited to the original bug report
193and followup discussions (if any), exploits, CVE information or the
194identity of the reporter.
195
196In other words our only interest is in getting bugs fixed.  All other
197information submitted to the security list and any followup discussions
198of the report are treated confidentially even after the embargo has been
199lifted, in perpetuity.
200
201Coordination with other groups
202------------------------------
203
204While the kernel security team solely focuses on getting bugs fixed,
205other groups focus on fixing issues in distros and coordinating
206disclosure between operating system vendors.  Coordination is usually
207handled by the "linux-distros" mailing list and disclosure by the
208public "oss-security" mailing list, both of which are closely related
209and presented in the linux-distros wiki:
210<https://oss-security.openwall.org/wiki/mailing-lists/distros>
211
212Please note that the respective policies and rules are different since
213the 3 lists pursue different goals.  Coordinating between the kernel
214security team and other teams is difficult since for the kernel security
215team occasional embargoes (as subject to a maximum allowed number of
216days) start from the availability of a fix, while for "linux-distros"
217they start from the initial post to the list regardless of the
218availability of a fix.
219
220As such, the kernel security team strongly recommends that as a reporter
221of a potential security issue you DO NOT contact the "linux-distros"
222mailing list UNTIL a fix is accepted by the affected code's maintainers
223and you have read the distros wiki page above and you fully understand
224the requirements that contacting "linux-distros" will impose on you and
225the kernel community.  This also means that in general it doesn't make
226sense to Cc: both lists at once, except maybe for coordination if and
227while an accepted fix has not yet been merged.  In other words, until a
228fix is accepted do not Cc: "linux-distros", and after it's merged do not
229Cc: the kernel security team.
230
231CVE assignment
232--------------
233
234The security team does not assign CVEs, nor do we require them for
235reports or fixes, as this can needlessly complicate the process and may
236delay the bug handling.  If a reporter wishes to have a CVE identifier
237assigned for a confirmed issue, they can contact the :doc:`kernel CVE
238assignment team<../process/cve>` to obtain one.
239
240Non-disclosure agreements
241-------------------------
242
243The Linux kernel security team is not a formal body and therefore unable
244to enter any non-disclosure agreements.
245