Hello WebKit Security group. Your page at http://www.webkit.org/security/ says:
- *Disclosure:* The WebKit Security Group will negotiate an embargo date for public disclosure for each new Security bug, with a default minimum time limit of 60 days. An embargo may be lifted before the agreed-upon date if all vendors planning to ship a fix have already done so, and if the reporter does not object. The agreed-upon embargo date will be communicated to the reporter through the bug at https://bugs.webkit.org. I reported https://bugs.webkit.org/show_bug.cgi?id=141878 and https://bugs.webkit.org/show_bug.cgi?id=141865 which meet these criteria. My comments #6 and #4 respectively ask that these be made public. The only known vulnerabilities created by these bugs were in Caja and software relying on Caja for security, like Google Apps Script. All of these have now been upgraded to no longer be vulnerable to these bugs. In doing so, we have also disclosed the underlying problems, so there is no longer any reason to keep these bugs non-public. See https://code.google.com/p/google-caja/wiki/SecurityAdvisory20150313 I request that the embargo be lifted and these bugs become public, in accord with the WebKit security disclosure policy I quote above. Thanks. -- Cheers, --MarkM -- --- You received this message because you are subscribed to the Google Groups "Google Caja Discuss" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
