Re: Proposed GR: State exception for security bugs in Social Contract clause 3
Scott Kitterman <debian@kitterman.com> writes:
> On Monday, January 09, 2017 07:08:19 PM Sean Whitton wrote:
>> === BEGIN GR TEXT ===
>>
>> Title: State exception for security bugs in Social Contract clause 3
>>
>> 1. Debian has a longstanding practice of sharing information about
>> serious security bugs with only the security team. This is so that
>> they can co-ordinate release of the information with other vendors.
>>
>> 2. The third clause of our Social Contract says that "We will not hide
>> problems." However, the practice of embargoing information about
>> serious security bugs could be seen as the hiding of problems.
>>
>> 3. Resolve to append the following to clause 3 of the Social Contract:
>>
>> An exception is made for serious security problems. Information
>> about these may be kept confidential for a limited period of time,
>> so that a release of information may be co-ordinated with other
>> vendors.
>>
>> === END GR TEXT ===
> What is the definition of serious and what is the definition of limited?
My preference would be to just reuse the distros disclosure policy, as
that's been hashed out in public among the security community and is used
by all the various Linux distributions.
http://oss-security.openwall.org/wiki/mailing-lists/distros
Please note that the maximum acceptable embargo period for issues
disclosed to these lists is 14 to 19 days, with embargoes longer than
14 days (up to 19) allowed in case the issue is reported on a Thursday
or a Friday and the proposed coordinated disclosure date is thus
adjusted to fall on a Monday or a Tuesday. Please do not ask for a
longer embargo. In fact, embargo periods shorter than 7 days are
preferable. Please notify upstream projects/developers of the affected
software, other affected distro vendors, and/or affected Open Source
projects before notifying one of these mailing lists in order to
ensure that these other parties are OK with the maximum embargo period
that would apply (and if not, then you may have to delay your
notification to the mailing list), unless you're confident you'd
choose to ignore their preference anyway and disclose the issue
publicly soon as per the policy stated here.
Note that this still lets you make exceptions if upstream wants a longer
embargo period (by holding off on notifying distros and contacting other
distributions out of band). It's hard to make this decision in advance
for everything; there are always challenging special circumstances. (I as
a DD would be fine with our security team making that call in exceptional
situations.)
I don't think there's much point in defining serious. If we have a
disclosure policy, then it doesn't matter as much.
--
Russ Allbery (rra@debian.org) <http://www.eyrie.org/~eagle/>
Reply to: