On Tue, 25 Apr 2006, Francesco Poli wrote: > On Tue, 25 Apr 2006 00:31:45 +0200 Javier Fernández-Sanguino Peña wrote: > > I have asked a public interface to the stable security team in the > > past to their data but it doesn't seem to be possible. > > I think that this should be changed, as the SC states: > > | 3. We will not hide problems > | We will keep our entire bug report database open for public view > | at all times. Reports that people file online will promptly > | become visible to others. > > Even if the explanation talks about the BTS in particular, I think that > the spirit of SC#3 should apply to other areas too (e.g. problems that > are known to some DDs, but are not yet reported to the BTS).
Here we basically have two choices. 1. Certain people sign NDAs/agreements to get the early disclosure information; in return they cannot disclose the information. We lose transparency, but security bugs can be fixed before they're (widly) known in the wild. 2. No one signs NDAs/agreements, we're transparent; we don't have the information to publish in the BTS anyway, and the security bugs can't be started to be fixed until after they're published. Don Armstrong -- She was alot like starbucks. IE, generic and expensive. -- hugh macleod http://www.gapingvoid.com/batch3.htm http://www.donarmstrong.com http://rzlab.ucr.edu