On Fri, 2017-01-13 at 17:25 -0700, Sean Whitton wrote: > > My understanding of the policy that Russ linked to was that the security > team are de facto bound to that policy because all the other distros are > following it. Is that right? If so, it could be added to the new FAQ.
You should read up on Coordinated (or Responsible) Disclosure vs. Full Disclosure (not an uncontroversial topic in itself), the choice of which one is used for a given bug is usually the choice of the person/organisation who _discovers_ the issue. In cases where the discoverer favours Coordinated Disclosure either Debian agrees to abide by the embargos which the discoverers wish to use or we simply do not get told about issues until the embargo has expired. Most distros, including Debian, agree to abide by such embargos because it is in our interests and our users' interests to do so. So Debian abides by discoverers wishes for the same reasons as the other distros do, I don't think it is quite accurate to say Debian does so because other distros do. The important thing (I think) is that the choice of disclosure process is down to the discoverer and not to the distros. Distros which do not abide by the discovers wishes risk simply being left out of the disclosure process for future vulnerabilities. Ian.
