On Mon, Sep 8, 2014 at 2:07 AM, Matt Caswell <[email protected]> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > The OpenSSL Development Team have today released the OpenSSL Project > Security Policy. > > The policy has been published at: > https://www.openssl.org/about/secpolicy.html
Hi Matt, Thank you and the OpenSSL team for clarifying the security policy. One particular clause caught my attention: We use the mailing list described at http://oss-security.openwall.org/wiki/mailing-lists/distros for this. We may also include other organisations that would otherwise qualify for list membership. We may withdraw notifying individual organisations from future prenotifications if they leak issues before they are public or over time do not add value (value can be added by providing feedback, corrections, test results, etc.) "Do not add value" seems somewhat arbitrary, and I hope that vendors will be treated fairly, without discrimination. How can a vendor know that it's providing "value". How are vendors rated ? Is there an internal tracking system for vendor's "value", where they can check it, and know when they are "adding value" or "losing value". Perhaps, it might need to be clarified further. > > The policy details how we handle and classify security issues, as well > as who we tell about them and when. > > Matt > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1 > > iQEcBAEBAgAGBQJUDNcVAAoJENnE0m0OYESRVJEIAJ/LeS8m3m7/rQIY4Dm+CyH0 > uTHPtda56E2Ywx26sxhwydPhtX4Xp5NMmSD8NW2oNush1TV25uibhZG2WPXtoj2w > WGTIki6dzOliO+uLTnc9MJbt4PTHn+1RCqCe+RNjvlHcTiDwfxg/WfEF5oZXnVjo > NfNq67ym6d6MQ/IkQg48bLam2Bvv3eEsehZwiK9RtEs1DtmejAXYFU+jP3+la7Hr > jJfrYr6PmzePBgxkNuH9jVIkd/uhVHv1+URbC+ILFhaqBOUMtsNcq0ihjYUemfhZ > b+PdudEXslkLVYrI2LhGhfKnIECnxp8fi/F7I8rnrl5TmiF7j7WWqjOx5ziXsGw= > =3xvD > -----END PGP SIGNATURE----- > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > Development Mailing List [email protected] > Automated List Manager [email protected] -- This message is strictly personal and the opinions expressed do not represent those of my employers, either past or present. ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [email protected] Automated List Manager [email protected]
