| 1 |
On Wed, 2004-05-19 at 09:25, Tobias Weisserth wrote: |
| 2 |
> > It means that if a vendor contacts us to notify us of a security |
| 3 |
> > vulnerability in their product, but asks us to keep it confidential until a |
| 4 |
> > pre-defined release date, we will respect their wishes and treat the bug as |
| 5 |
> > confidential. |
| 6 |
> |
| 7 |
> Ah, OK. I think this explanation deserves to be in the document. :-) |
| 8 |
> |
| 9 |
> regards, |
| 10 |
> Tobias |
| 11 |
|
| 12 |
(/. pedantic +1) |
| 13 |
|
| 14 |
Would it not also be prudent to state the reason the secrecy for the |
| 15 |
vendor being honoured, is only to give the vendor time to confirm and |
| 16 |
release a patch to fix the vulnerability ? |
| 17 |
|
| 18 |
That way when you do get a confidential vulnerability, you know you're |
| 19 |
keeping it secret for a good reason (i.e vendor has confirmed they are |
| 20 |
working to fix the vulnerability), and not simply because someone asked |
| 21 |
you to. |
| 22 |
|
| 23 |
Just a thought |
| 24 |
-- |
| 25 |
Dagan |
| 26 |
'S Rioghal Mo Dhream! |
| 27 |
([XXH<>%<>HXX])============================== |
| 28 |
|
| 29 |
|
| 30 |
-- |
| 31 |
gentoo-security@g.o mailing list |
Archives