Ken Dreyer writes: > What do you think about time frame commitments? When I ran into a > security issue a while back[1], I wasn't sure how long it would be > appropriate to wait for feedback on the thread. Of course you and the > rest of the team don't have to promise something like "72 hours > response time", but maybe more general language on that web page about > communication would be a good idea. What do you think?
Ken, Thanks for bringing that up. I suppose a typical scenario looks like this: 1. an issue is reported 2. we acknowledge that we've been informed 3. we work (together) to identify the probability of an exploit, the consequences of an exploit 4. we work on a patch 5. we ship a patch and post an advisory Having a check list like this (publishing it too!) makes us better prepared to respond, and easier to determine the next step. Getting from 1 to 2 is really easy, and I suspect the same goes for getting from 3 to 4 and 4 to 5 is just as easy; the "hard" part is going to be #3. On another note, is there a way we could involve the community in helping out with this? Cheers, - Marius -- -- To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] --- You received this message because you are subscribed to the Google Groups "Gitorious" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
