docs/linux: updated reporting security bugs - strictly follow [email protected]

[novitoll]

Updated the documentation with:

• vulnerability definition and kernel security bug description
• reporting security procedure per https://docs.kernel.org/process/security-bugs.html
• CVE assignment per https://www.kernel.org/doc/html/latest/process/cve.html
• and recent Greg K-H video from the recent conference - https://www.youtube.com/watch?v=KumwRn1BA6s

Removed minor, major security bug classifications as now, CVE is assigned to the issue even it triggers WARN_ON with panic_on_warn enabled and reboots the system.

The updated reporting process strictly follows the [email protected] guideline.

Fixes: #4714

[novitoll]

This is a strict version of #5461 which does not involve linux-distros, oss-security into the Linux kernel bus reporting process according to kernel.org recommendations. See the lore thread in this comment.

[xairy]

I'd say we should keep to the existing workflow and just update the part about CVE assignments. Changing the process to only reporting bugs to [email protected] is quite one-sided: I have a feeling that people on linux-distros care about exploitable security problems way more than people on [email protected]. And keeping the announcements to oss-security makes sense too: there are people who monitor that list to get notified of impactful bugs (including me).