Re: Proposed GR: State exception for security bugs in Social Contract clause 3
On Fri, 2017-01-13 at 17:25 -0700, Sean Whitton wrote:
>
> My understanding of the policy that Russ linked to was that the security
> team are de facto bound to that policy because all the other distros are
> following it. Is that right? If so, it could be added to the new FAQ.
You should read up on Coordinated (or Responsible) Disclosure vs. Full
Disclosure (not an uncontroversial topic in itself), the choice of
which one is used for a given bug is usually the choice of the
person/organisation who _discovers_ the issue.
In cases where the discoverer favours Coordinated Disclosure either
Debian agrees to abide by the embargos which the discoverers wish to
use or we simply do not get told about issues until the embargo has
expired.
Most distros, including Debian, agree to abide by such embargos because
it is in our interests and our users' interests to do so.
So Debian abides by discoverers wishes for the same reasons as the
other distros do, I don't think it is quite accurate to say Debian does
so because other distros do.
The important thing (I think) is that the choice of disclosure process
is down to the discoverer and not to the distros. Distros which do not
abide by the discovers wishes risk simply being left out of the
disclosure process for future vulnerabilities.
Ian.
Reply to: