[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#129604: general: Social Contract: We Do Hide Problems

Can't we satisfy not disclosing the vulnerability and letting our users know by doing something like this:

	Debian has been informed of a [<<type>>] vulnerability in
	<<package>> [by <<someone>>]. We are preparing an updated
	package, which will be available from security.debian.org
	along with a DSA [on <<date>>].

	To the best of our knowledge, this is not being exploited
	in the wild. However, you are cautioned to take reasonable
	precautions, such as not using <<package>> if not needed.

This way, we don't release the details to the bad guy. We do alert our users to be on the lookout.

And we're certainly not hiding our problems, by any stretch of the word.

Reply to: