Hi liberationtech, The W3C, which sets Web standards, just released this
https://www.w3.org/2017/01/GVDP-factsheet.html in an attempt to pacify all of us who are complaining that their plan to make DRM part of Web standards would be bad for security researchers. It's a draft of "best practices" for companies to follow when security researchers disclose vulns to them. Is anyone who's knowledgeable about disclosure policies able to take a look at it and share your thoughts? To me, it looks like it's not much of a protection for the researchers, because it's totally voluntary and apparently allows companies to ignore it if they make such arbitrary judgements as that the security researcher didn't give them a "reasonable" amount of time between private and public disclosure. I think we can take Netflix's policy (linked from the W3C page) to be pretty representative of the policies these guidelines will produce. How does it compare to typical companies' policies? Are there really good policies that it would be better for the W3C to model their guidelines on? -- Zak Rogoff // Campaigns Manager Free Software Foundation -- Liberationtech is public & archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
