Thank you to Russ and Ben for the encouragement! On Sat, Jan 14, 2017 at 08:48:40AM +0000, Ian Campbell wrote: > You should read up on Coordinated (or Responsible) Disclosure vs. Full > Disclosure (not an uncontroversial topic in itself), the choice of > which one is used for a given bug is usually the choice of the > person/organisation who _discovers_ the issue. > [...]
On Sat, Jan 14, 2017 at 11:47:17AM +0100, Emilio Pozuelo Monfort wrote: > Maybe there should be a note about how we handle embargoed vulnerabilities > here: > > https://www.debian.org/security/faq Thanks for reminding me about that existing FAQs page. I think that Ian's e-mail, suitably edited, would be a great addition if both Ian and the security team agreed. It could then be linked to from my new SocialContractFAQ page on the wiki. -- Sean Whitton
signature.asc
Description: PGP signature