Hi Max - (First time poster (?Maybe) / long time lurker).I think highlighting that Debian is supported by volunteers is important and providing up front a link to tracker is outstanding. The "we take security seriously" text is dated consistent with standard boiler-plate text.
I'd also like to see information on both how to submit vulnerabilities as well as how to contribute to getting them fixed.
Thanks, Silas On 12/28/21 1:46 PM, max wrote:
Some statements on debian.org/security are inaccurate, and many people are misled by them. I propose replacing """ Debian takes security very seriously. We handle all security problems brought to our attention and ensure that they are corrected within a reasonable timeframe. """ with something more factual, like """ Debian's security updates are created by volunteers working in their spare time. Some packages may receive more attention than others. To view the current list of known unfixed vulnerabilities see https://security-tracker.debian.org/tracker/status/release/stable """ (Side note: It seems that NVD tends to assign "medium" severity to vulnerabilities initially, but upgrades them to "high" or "critical" later. However, Debian keeps showing the initial severity rating)
-- Silas Cutler (Silas@BlackLab.io) PGP Fingerprint (598A 812E FB8C BA19 69A5 D17A C14D A520 A02E 8CD6)
Attachment:
OpenPGP_0xC14DA520A02E8CD6.asc
Description: OpenPGP public key
Attachment:
OpenPGP_signature
Description: OpenPGP digital signature