Re: Proposal G
* Andreas Barth:
> Actually, we hide security bugs. Of course not, if they are filled
> into the bts, but we hide them if they are sent to team@security.
> Please don't misunderstand me; I think the current approach is the
> right one, but with literal reading SC #3 is tangled (and I know that
> Florian disagrees with me here).
Just for the record, because opinions sometimes change over time: I
see this particular case as a mere example where we must somehow
balance one goal expressed in the SC against another, conflicting one.
I think it's important to realize that the SC does not automatically
offer a clear-cut answer to every complex question.
Furthermore, I do no longer closely follow developments in
vulnerability handling. I simply do not know if vendor-sec is playing
into the hands of commercial vulnerability resellers such as CERT/CC /
US-CERT / Internet Security Alliance, OIS, SecurityFocus / Symantec
and so on (those companies who do have a public BTS which incurs a
noticeable publication delay, to protect their business interests more
than their users' interests).
Current mail filters: many dial-up/DSL/cable modem hosts, and the
following domains: bigpond.com, di-ve.com, fuorissimo.com, hotmail.com,
jumpy.it, libero.it, netscape.net, postino.it, simplesnet.pt, spymac.com,
tiscali.co.uk, tiscali.cz, tiscali.it, voila.fr, yahoo.com.