Stuart Ballard wrote: > Ben Bucksch wrote: > >>Stuart Ballard wrote: >> >> >>>This would include notifying your users of the bug's existence as soon >>>as it is found (provided you only do so in a vague way) >>> >>> >>That is what I need to do, but I am disallowed to do that (to my >>understanding) under the new scheme. >> > > That's not how I read it, but looking at it more closely it's open to > interpretation.
I'm tied up with work-related stuff, so I can't answer at length right now (and might now be able to come back to this discussion in earnest until tomorrow). However I believe the intent was that we (mozilla.org staff) would encourage the security module owner, peers, and the security bug group to consider issuing such vague warnings where appropriate, but would not mandate as an absolute policy that this be done immediately upon the security bug group becoming aware of the existence of a bug. Frank -- Frank Hecker [EMAIL PROTECTED]
