1 |
On Wed, 2004-05-19 at 09:25, Tobias Weisserth wrote: |
2 |
> > It means that if a vendor contacts us to notify us of a security |
3 |
> > vulnerability in their product, but asks us to keep it confidential until a |
4 |
> > pre-defined release date, we will respect their wishes and treat the bug as |
5 |
> > confidential. |
6 |
> |
7 |
> Ah, OK. I think this explanation deserves to be in the document. :-) |
8 |
> |
9 |
> regards, |
10 |
> Tobias |
11 |
|
12 |
(/. pedantic +1) |
13 |
|
14 |
Would it not also be prudent to state the reason the secrecy for the |
15 |
vendor being honoured, is only to give the vendor time to confirm and |
16 |
release a patch to fix the vulnerability ? |
17 |
|
18 |
That way when you do get a confidential vulnerability, you know you're |
19 |
keeping it secret for a good reason (i.e vendor has confirmed they are |
20 |
working to fix the vulnerability), and not simply because someone asked |
21 |
you to. |
22 |
|
23 |
Just a thought |
24 |
-- |
25 |
Dagan |
26 |
'S Rioghal Mo Dhream! |
27 |
([XXH<>%<>HXX])============================== |
28 |
|
29 |
|
30 |
-- |
31 |
gentoo-security@g.o mailing list |