[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Proposed GR: State exception for security bugs in Social Contract clause 3

Scott Kitterman <debian@kitterman.com> writes:
> On Monday, January 09, 2017 07:08:19 PM Sean Whitton wrote:

>> === BEGIN GR TEXT ===
>> 
>> Title: State exception for security bugs in Social Contract clause 3
>> 
>> 1. Debian has a longstanding practice of sharing information about
>>    serious security bugs with only the security team.  This is so that
>>    they can co-ordinate release of the information with other vendors.
>> 
>> 2. The third clause of our Social Contract says that "We will not hide
>>    problems."  However, the practice of embargoing information about
>>    serious security bugs could be seen as the hiding of problems.
>> 
>> 3. Resolve to append the following to clause 3 of the Social Contract:
>> 
>>     An exception is made for serious security problems.  Information
>>     about these may be kept confidential for a limited period of time,
>>     so that a release of information may be co-ordinated with other
>>     vendors.
>> 
>> === END GR TEXT ===

> What is the definition of serious and what is the definition of limited?

My preference would be to just reuse the distros disclosure policy, as
that's been hashed out in public among the security community and is used
by all the various Linux distributions.

http://oss-security.openwall.org/wiki/mailing-lists/distros

    Please note that the maximum acceptable embargo period for issues
    disclosed to these lists is 14 to 19 days, with embargoes longer than
    14 days (up to 19) allowed in case the issue is reported on a Thursday
    or a Friday and the proposed coordinated disclosure date is thus
    adjusted to fall on a Monday or a Tuesday. Please do not ask for a
    longer embargo. In fact, embargo periods shorter than 7 days are
    preferable. Please notify upstream projects/developers of the affected
    software, other affected distro vendors, and/or affected Open Source
    projects before notifying one of these mailing lists in order to
    ensure that these other parties are OK with the maximum embargo period
    that would apply (and if not, then you may have to delay your
    notification to the mailing list), unless you're confident you'd
    choose to ignore their preference anyway and disclose the issue
    publicly soon as per the policy stated here.

Note that this still lets you make exceptions if upstream wants a longer
embargo period (by holding off on notifying distros and contacting other
distributions out of band).  It's hard to make this decision in advance
for everything; there are always challenging special circumstances.  (I as
a DD would be fine with our security team making that call in exceptional
situations.)

I don't think there's much point in defining serious.  If we have a
disclosure policy, then it doesn't matter as much.

-- 
Russ Allbery (rra@debian.org)               <http://www.eyrie.org/~eagle/>
Reply to: