> On Jul 5, 2019, at 6:40 AM, Shawn Webb <shawn.w...@hardenedbsd.org> wrote: > >> On Wed, Jul 03, 2019 at 10:18:12AM -0700, Gordon Tetlow wrote: >> Sorry for the late response, only so many hours in the day. > > Completely understood. Thanks for taking the time to respond! > >> >>> On Tue, Jun 18, 2019 at 08:06:55PM -0400, Shawn Webb wrote: >>> It appears that Netflix's advisory (as of this writing) does not >>> include a timeline of events. Would FreeBSD be able to provide its >>> event timeline with regards to CVE-2019-5599? >> >> I don't generally document a timeline of events from our side. This >> particular disclosure was a bit unusual as it wasn't external but >> instead was an internal FreeBSD developer the security team often works >> with. As such, our process was a bit out of sync with normal (as much as >> we have a normal with our current processes). All of that said, we got >> notice in early June, about 10 days before public disclosure. > > Perhaps this might be a good time to start keeping records for future > vulnerability reports, regardless of source of disclosure. > > Does FreeBSD publish its vulnerability response process documentation? > If not, would FreeBSD be open to such transparency?
You’re asking volunteers, performing a very time-consuming task, to do even more work. The demands of security officer are pretty onerous as it is. > >> >>> Were any FreeBSD derivatives given advanced notice? If so, which ones? >> >> They were not. I would like to get to a point where we feel we could >> give some sort of heads up for downstream, but we aren't there yet. > > Sounds good. Let me know how I can help. I'm at your service. > > Thanks, > > -- > Shawn Webb > Cofounder / Security Engineer > HardenedBSD > > Tor-ified Signal: +1 443-546-8752 > Tor+XMPP+OTR: latt...@is.a.hacker.sx > GPG Key ID: 0xFF2E67A277F8E1FA > GPG Key Fingerprint: D206 BB45 15E0 9C49 0CF9 3633 C85B 0AF8 AB23 0FB2 _______________________________________________ freebsd-security@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscr...@freebsd.org"