On Wed, Mar 30, 2016 at 06:11:33PM -0300, Flavio Leitner wrote:
> On Wed, Mar 30, 2016 at 10:22:13AM -0700, Ben Pfaff wrote:
> > SECURITY.md currently says:
> >
> > A disclosure date is negotiated by the security team working with the
> > bug submitter as well as vendors. However, the Open vSwitch security
> > team holds the final say when setting a disclosure date. The timeframe
> > for disclosure is from immediate (esp. if it's already publicly known)
> > to a few weeks. As a basic default policy, we expect report date to
> > disclosure date to be 3~5 business days.
> >
> > When we recently put an actual vulnerability through this process, we
> > discovered that this is far too short. At VMware, for example, it takes
> > about 10 business days to put an NSX release through all of the internal
> > processes needed to make it available to customers. A lot of that is
> > QA, but even if that were to be skipped (which would be difficult), 5
> > days is terribly short.
> >
> > I realize that VMware is not at the forefront of efficiency here, but I
> > think that other downstream users of Open vSwitch are likely to have
> > enterprise-y schedules as well. Probably, we are not yet aware of most
> > of these, but my guess is that since Open vSwitch is gaining a higher
> > profile we will start to see vulnerability reports regularly and other
> > enterprise software companies will start to sign up as downstreams.
> >
> > I suggest that we increase our policy from 3-5 business days to 10-15.
> >
> > Your thoughts?
>
> Same issue here, ACK.
OK. I brought this up here first because I wanted to give people a
chance to object before I posted a patch. It's been over a day and no
objections (and your ack is reassuring; thanks!), so I posted a patch:
http://openvswitch.org/pipermail/dev/2016-March/069005.html
I'll give that a day or so to percolate and gather acks.
_______________________________________________
discuss mailing list
discuss@openvswitch.org
http://openvswitch.org/mailman/listinfo/discuss
