Open nwalfield opened 3 months ago
briansmith
commented
3 months ago I'm not sure what would be helpful. Are you envisioning the scenario where somebody would report a vulnerability and we would disclose it before we fix it? I definitely don't intend to do that. Or are you envisioning the scenerio where the reporter asks for an embargo until a particular date? Or something else? Do you have some specific language you're hoping to see?
nwalfield
commented
3 months ago This is our policy on security vulnerabilities in Sequoia. We've shared it with a number of stakeholders, and they seem to like it. The short version is that when we are made aware of a security issue, we share the findings with a closed group of stakeholders (Distributions, and some applications that use Sequoia), and we all do a release on an agreed upon flag day.
It's a fair amount of work, and I'm not asking you to do it. As you updated your policy, I'm seeking clarification. Unfortunately, we're not able to financially support ring. And again, I'm not asking you to do this; I'm just requesting clarification.
Thanks!
briansmith
commented
1 month ago I am open to specific suggestions of wording. I don't really know what you're asking for.
I recently discovered that the statement about ring's disclosure policy statement was removed. The new security policy isn't clear about whether you are doing coordinated disclosure, or are still doing full disclosure. Would you please consider adding a statement to SECURITY.md clarifying this. Thanks!