Stuart Ballard wrote: > > My only concern is the way it seems to "default" to closed status, which > is more a matter of emphasis than anything else. My two points about > eventual disclosure being mandatory and keeping bugs that don't apply to > any milestone open were both in reaction to this same issue, and having > thought about it some more, I agree that hard and fast restrictions > aren't the way to go.
It doesn't default to closed status. Security bugs default to whatever the reporter wants them to be. What this policy does is set up a framework for end user distributors and other interested parties to share information about security vulnerabilities in a way that respects the individual needs of those reporters and participants. It might be that Ben Bucksch might report a bug and might want specifics of that vulnerability and the fixes released a a time frame of two weeks. As the reporter of that bug he has the power to make decisions about the time frame involved. Netscape, as the big bad corporation in this context, doesn't have any power over that decision since it's up to the bug reporter. But turn-around must apply so Ben must respect Netscape's wishes if one of their engineers reports a bug. If this system wasn't in place then there wouldn't be any forum for this information to be shared and every vendor would be an island which I suspect would be bad for all involved. Of course, by participating in the security group the members are making the choice to allow the group, through consensus and to have mozilla.org staff possibly override that decision so there is a good bit of sacrifice made in name of being open. Ben talks a lot about people who report bugs who might be naive and might be influenced by the big bad corporations waiting around the corner to protect their products but I don't see this as a major problem. Remeber, there are lots of reasonable non-corporate people who will be involved in this security group, Ben included, to keep this kind of behaviour in check if it does happen ( and I doubt that it will. ) Also, I'm very sure that the engineers involved in fixing those bugs take them very seriously and if they don't then other members of the security group will, for sure. There's lots of pressure to get those kinds of vulnerabilities fixed. > > What I would like to see though is something explicitly in the policy > stating that closing a bug requires some justification, and that absent > such justification, openness is the default. Make it vague and waffly > and leave final discretion to the security group on a case-by-case > basis, but make it clear that the *intent* is that bugs should be kept > open unless there are reasons not to, and should be opened afterwards as > soon as the reasons no longer apply. I think that's entirely up to the reporter. If they check that box the must think that it's security related and they want to keep it confidential to that group. --Chris -- ------------ Christopher Blizzard http://people.redhat.com/blizzard/ Mozilla.org - we're on a mission from God. Still. ------------
