Linux Kernel Outlines What Qualifies As A Security Bug, Responsible AI Use

The Linux 7.1 kernel has added new documentation clarifying what qualifies as a security bug and how AI-assisted vulnerability reports should be handled. Phoronix reports: Stemming from the recent influx of security bugs to the Linux kernel as well as an uptick in bug and security reports from discoveries made in full or in part with AI, additional documentation was warranted. Longtime Linux developer Willy Tarreau took to authoring the additional documentation around kernel bugs. To summarize (since the documentation is a bit too lengthy for a Slashdot story), the AI-assisted vulnerability reports should "be treated as public" because such findings "systematically surface simultaneously across multiple researchers, often on the same day." It adds that reporters should avoid posting a reproducer openly, instead "just mention that one is available" and provide it privately if maintainers request it. The guidance also tells AI-assisted reporters to keep submissions concise and plain-text, focus on verifiable impact rather than speculative consequences, include a thoroughly tested reproducer, and, where possible, propose and test a fix.

As for what qualifies as a security bug, the documentation says the private security list is for "urgent bugs that grant an attacker a capability they are not supposed to have on a correctly configured production system" and are easy to exploit, creating an imminent threat to many users. Reporters are told to consider whether the issue "actually crosses a trust boundary," since many bugs submitted privately are really ordinary defects that belong in the normal public reporting process.

All the new documentation can be read via this commit.

Hooray!

[djgl]

As someone whose job includes commenting on every f***ing CVE that is reported for the software on a customer's device, I look forward to this reducing the number of CVEs. There are lots and lots of CVEs that do not compromise the security of a system and at most are locally exploitable DoSes.

Re:

[Himmy32]

CVE scores in CVSS 3.x/4.0 systems have that information including if the Attack Vector is local and how large of an impact. The existence of a detailed unified catalog isn't problematic, organizations can sure use that data wrong though.

A good definition of AI slop

[Mirnotoriety]

* **Length**: AI-generated reports tend to be excessively long, containing multiple sections and excessive detail. This makes it difficult to spot important information such as affected files, versions, and impact. Please ensure that a clear summary of the problem and all critical details are presented first. Do not require triage engineers to scan multiple pages of text. Configure your tools to produce concise, human-style reports.

* **Formatting**: Most AI-generated reports are littered with Markdown ta