Ben Bucksch wrote: > > Stuart Ballard wrote: > > >This would include notifying your users of the bug's existence as soon > >as it is found (provided you only do so in a vague way) > > > That is what I need to do, but I am disallowed to do that (to my > understanding) under the new scheme.
That's not how I read it, but looking at it more closely it's open to interpretation. Frank, could you clarify what you mean here: -- begin quote -- However we do expect members of the group * not to disclose security bug information to others who are not members of the Mozilla security bug group or are not otherwise involved in resolving the bug, * not to post descriptions of exploits in public forums like newsgroups, and * to be careful in whom they add to the CC field of a bug (since all those CC'd on a security bug potentially have access to the complete bug report). -- end quote -- The third item is of no relevance here. The second item does not forbid the kind of disclosure we're talking about here, because it's not a "description of an exploit", but a vague warning of the problem's existence. But the first item is so broadly worded that it could cover anything, including providing this kind of warning. Could you narrow down that first item somewhat, and make it explicitly clear that giving public warning to users about the bug, provided specifics are not mentioned, is okay? Thanks, Stuart.
