Opening up kernel security bug handling

One reason is maybe that people prefer silent fixes.
http://www.pcpro.co.uk/news/security/213213/torvalds-rage...
Personally, I feel that these days the danger is not about script kiddies so we should just spell out the danger.

One thing is that maintainers already have enough things to do. It's ridiculous to imagine that Greg K-H is going to do all the security analysis by himself. Anyone can file for CVEs if the want to. Greg thinks that distros already do that job and are able to understand which -stable patches have security impacts.
https://lwn.net/Articles/539282/

As a kernel contributor, I decided I would let the individual maintainers decide for themselves how they want to handle security bugs. I always spell out the implications. So far no maintainers have ever filed for a CVE but occasionally P J P will tag one of my patches.
http://www.spinics.net/lists/stable/msg16881.html
I pretty much agree with Greg on that. One byte of stack info seems like a minor thing.

A lot of the time, I don't know the security implications myself. Which parts of the code are root only? Is an off-by-one check just a sanity check and can't ever be triggered? If we read one space beyond the end of the array is that a problem?