On Wed, Mar 30, 2016 at 10:22:13AM -0700, Ben Pfaff wrote: > SECURITY.md currently says: > > A disclosure date is negotiated by the security team working with the > bug submitter as well as vendors. However, the Open vSwitch security > team holds the final say when setting a disclosure date. The timeframe > for disclosure is from immediate (esp. if it's already publicly known) > to a few weeks. As a basic default policy, we expect report date to > disclosure date to be 3~5 business days. > > When we recently put an actual vulnerability through this process, we > discovered that this is far too short. At VMware, for example, it takes > about 10 business days to put an NSX release through all of the internal > processes needed to make it available to customers. A lot of that is > QA, but even if that were to be skipped (which would be difficult), 5 > days is terribly short. > > I realize that VMware is not at the forefront of efficiency here, but I > think that other downstream users of Open vSwitch are likely to have > enterprise-y schedules as well. Probably, we are not yet aware of most > of these, but my guess is that since Open vSwitch is gaining a higher > profile we will start to see vulnerability reports regularly and other > enterprise software companies will start to sign up as downstreams. > > I suggest that we increase our policy from 3-5 business days to 10-15. > > Your thoughts?
Same issue here, ACK. -- fbl _______________________________________________ discuss mailing list discuss@openvswitch.org http://openvswitch.org/mailman/listinfo/discuss