Scott Kitterman <[email protected]> writes: > On Monday, January 09, 2017 07:08:19 PM Sean Whitton wrote:
>> === BEGIN GR TEXT === >> >> Title: State exception for security bugs in Social Contract clause 3 >> >> 1. Debian has a longstanding practice of sharing information about >> serious security bugs with only the security team. This is so that >> they can co-ordinate release of the information with other vendors. >> >> 2. The third clause of our Social Contract says that "We will not hide >> problems." However, the practice of embargoing information about >> serious security bugs could be seen as the hiding of problems. >> >> 3. Resolve to append the following to clause 3 of the Social Contract: >> >> An exception is made for serious security problems. Information >> about these may be kept confidential for a limited period of time, >> so that a release of information may be co-ordinated with other >> vendors. >> >> === END GR TEXT === > What is the definition of serious and what is the definition of limited? My preference would be to just reuse the distros disclosure policy, as that's been hashed out in public among the security community and is used by all the various Linux distributions. http://oss-security.openwall.org/wiki/mailing-lists/distros Please note that the maximum acceptable embargo period for issues disclosed to these lists is 14 to 19 days, with embargoes longer than 14 days (up to 19) allowed in case the issue is reported on a Thursday or a Friday and the proposed coordinated disclosure date is thus adjusted to fall on a Monday or a Tuesday. Please do not ask for a longer embargo. In fact, embargo periods shorter than 7 days are preferable. Please notify upstream projects/developers of the affected software, other affected distro vendors, and/or affected Open Source projects before notifying one of these mailing lists in order to ensure that these other parties are OK with the maximum embargo period that would apply (and if not, then you may have to delay your notification to the mailing list), unless you're confident you'd choose to ignore their preference anyway and disclose the issue publicly soon as per the policy stated here. Note that this still lets you make exceptions if upstream wants a longer embargo period (by holding off on notifying distros and contacting other distributions out of band). It's hard to make this decision in advance for everything; there are always challenging special circumstances. (I as a DD would be fine with our security team making that call in exceptional situations.) I don't think there's much point in defining serious. If we have a disclosure policy, then it doesn't matter as much. -- Russ Allbery ([email protected]) <http://www.eyrie.org/~eagle/>
