On Thu, Aug 22, 2019 at 9:14 PM Lukas Atkinson <[email protected]> wrote:
> However, that 90 day window is awfully long. While this is the typical > embargo period, it intends to give the vendor enough time to verify, > investigate, and fix the vulnerability, and to prepare the distribution of > patches. This tries to balance the vendor's ability to fix the issue with > the end users interest to be quickly informed about open vulnerabilities in > the software. (My use of “vendor” rather than “community” here is > deliberate: such an embargo mostly makes sense in the context of closed or > at least cathedral-style development.) > As others have commented, it's not just vendors who may need embargo periods. Communities who share historic code origins can have a need to co-ordinate addressing CVEs as well, and my experience of a particular case has shown that even 90 days can be too short when one of those communities is failing to respect its obligations to its users. I suggest fixing this number at some "universally accepted" value is a potential risk. Perhaps some mechanism such as "30 days unless otherwise declared by the copyright holder"? S. (in a personal capacity despite the from: address)
_______________________________________________ License-discuss mailing list [email protected] http://lists.opensource.org/mailman/listinfo/license-discuss_lists.opensource.org
