Christopher Blizzard wrote: > What this policy does is set up a framework for end user distributors > and other interested parties to share information about security > vulnerabilities
You seem to assume that reports come from "inside", from parties (esp. companies) developing Mozilla. While that might be true for many bugs, it is by no means true for all of them. I hope that a considerable amount of bug reports come from people not at all involved with Mozilla development or from individual developers. We need to set a policy for them, because they most likely have no opinion. > Ben talks a lot about people who report bugs who might be naive and > might be influenced by the big bad corporations waiting around the > corner to protect their products but I don't see this as a major > problem. Remeber, there are lots of reasonable non-corporate people > who will be involved in this security group, Ben included, You call me reasonable? Wow! ;-P > to keep this kind of behaviour in check if it does happen ( and I > doubt that it will. ) First, I don't want to go after Netscape mnd make sure, it plays nice. Second, I can't, as I outlined. because in the current scheme, Netscape will probably talk to the reporter privately, so I won't even notice. Please see previous conversation with Frank.
