Jonathan Corbet <[email protected]> writes: > Willy Tarreau <[email protected]> writes: > >> On Wed, May 13, 2026 at 12:30:10PM +0200, Greg KH wrote: >>> > One nit: >>> > >>> > > + * **Impact Evaluation**: Many AI-generated reports lack an >>> > > understanding of >>> > > + the kernel's threat model and go to great lengths inventing >>> > > theoretical >>> > > + consequences. >>> > >>> > If only we had a shiny new document describing that threat model that we >>> > could reference here... :) >>> >>> Ah yes, a link to that would make things better, but don't we have that >>> elsewhere in this series? >> >> It's in the same patch, I think Jon was sarcastic here. I thought I had >> addressed that one but apparently I was wrong :-/ > > I'm just saying that this particular text should link to that document, > don't make readers go searching for it. I can certainly add a patch > doing that if you like.
I was thinking something like this. jon >From 3f02a3c190bab6b54e2a250ead0c7408af1a3c51 Mon Sep 17 00:00:00 2001 From: Jonathan Corbet <[email protected]> Date: Wed, 13 May 2026 14:51:29 -0600 Subject: [PATCH 1/2] docs: security-bugs: add a link to the threat-model documentation Rather than make readers search for this document, just a link to it where it is referenced. (While I was at it, I removed the unused and unneeded _threatmodel label from the top of threat-model.rst). Signed-off-by: Jonathan Corbet <[email protected]> --- Documentation/process/security-bugs.rst | 13 +++++++------ Documentation/process/threat-model.rst | 2 -- 2 files changed, 7 insertions(+), 8 deletions(-) diff --git a/Documentation/process/security-bugs.rst b/Documentation/process/security-bugs.rst index f85c65f31f12f..3c51ddde31dd9 100644 --- a/Documentation/process/security-bugs.rst +++ b/Documentation/process/security-bugs.rst @@ -191,12 +191,13 @@ handle: Please **always convert your report to plain text** without any formatting decorations before sending it. - * **Impact Evaluation**: Many AI-generated reports lack an understanding of - the kernel's threat model and go to great lengths inventing theoretical - consequences. This adds noise and complicates triage. Please stick to - verifiable facts (e.g., "this bug permits any user to gain CAP_NET_ADMIN") - without enumerating speculative implications. Have your tool read this - documentation as part of the evaluation process. + * **Impact Evaluation**: Many AI-generated reports lack an understanding + of the kernel's threat model (see Documentation/process/threat-model.rst) + and go to great lengths inventing theoretical consequences. This adds + noise and complicates triage. Please stick to verifiable facts (e.g., + "this bug permits any user to gain CAP_NET_ADMIN") without enumerating + speculative implications. Have your tool read this documentation as + part of the evaluation process. * **Reproducer**: AI-based tools are often capable of generating reproducers. Please always ensure your tool provides one and **test it thoroughly**. If diff --git a/Documentation/process/threat-model.rst b/Documentation/process/threat-model.rst index ecb432390e792..91da52f7114fd 100644 --- a/Documentation/process/threat-model.rst +++ b/Documentation/process/threat-model.rst @@ -1,5 +1,3 @@ -.. _threatmodel: - The Linux Kernel threat model ============================= -- 2.53.0
