Frank Hecker wrote: > The problems you're concerned about are mainly problems when the bug > reporter is a Mozilla vendor with an incentive to keep the bug > confidential. They can take advantage of their position as a bug > reporter to try to keep the bug private.
This concern seems to be the base of much of your reasoning. I have an idea about it: To allow a vendor to participate in the security group, we mandate that the bugs this vendor knows about can be used at least under these and these terms. That's similar to the idea of (limited) copyleft - we give you something, but you have to give us something comparable in return. That way, we could impose *some* terms on vendors. We'd have to see, if that works for Netscape, but all other vendors will probably have more to gain than to lose and will agree.
