> On 9 Mar 2023, at 18:18, Daniel Stenberg <dan...@haxx.se> wrote: > > On Thu, 9 Mar 2023, Daniel Gustafsson wrote: > >> This opens us up to the risk that we've misjudged the severity, and we >> publish what we think is Low but in reality should've been High (or higher). >> Ideally this shouldn't happen, and thus the risk is low, but known risks are >> better than unknown. If we are on the fence regarding severity it should be >> fine to keep it hidden as per the process for High. > > Ah yes, good point. We should be fairly sure of the severity level before we > make a (public) PR to fix any security flaw. > > Do you think it is worth adding words about that in the SECURITY-PROCESS > document?
I think the current wording in your PR suffice as it's "vague" enough to allow the security team to make the call on a case by case basis. -- Daniel Gustafsson -- Unsubscribe: https://lists.haxx.se/mailman/listinfo/curl-library Etiquette: https://curl.se/mail/etiquette.html
