> >Is clear that the second process -- intending to also take an ethical > >path for disclosure -- should not specifically exclude a part of the > >community. > > They specifically exclude parts of the community that specifically > say they don't want to be INCLUDED. > > See: http://seclists.org/oss-sec/2014/q2/233
Dear Anonymous, That discussion is unrelated. I made a personal statement that I did not wish to participate in another private mailing list, stating my reasons as clearly as I could. My personal participation in such a mailing list is very distinct from OpenSSL's social responsibility to inform - the 10+ developers working on LibreSSL (I am only a minor part of that sub-group). - the security-concerned sub-group of OpenBSD (I play a big part in that, but not in regards to the SSL subset, so at most I would have handed this to the LibreSSL subgroup) Dr. Henson of OpenSSL knew who to contact. The other members of the private mailing list were witness to the disclosure gap. The choice was made there. I cannot be held responsible for this lack of notification.