Ben Bucksch wrote: > > It isn't meant as offening as it might sound, but while you *considered* > all views, the view of Netscape is about the only one followed in this > policy. You have neither full disclose nor disclosure after a certain > amount of time. Everything is controlled by a small, hand-picked group > of people.
I don't know whether this will affect your views, but did you notice that under this policy, the "small, hand-picked group of people" would almost certainly include yourself? From the policy: > The members of the Mozilla security bug group will be drawn primarily > from the following groups: > > * security developers (i.e., those whose bugs are often singled out as > security-relevant or who have security-relevant bugs assigned to > them), and security QA people who are the QA contacts for those > bugs; > * "exploit hunters" with a good track record of finding significant > Mozilla security vulnerabilities; > * representatives of the various companies and groups actively > distributing Mozilla-based products; and > * super-reviewers and drivers. I've heard multiple members of mozilla.org staff refer to Beonex as a "vendor", which would mean that Beonex has a clear case for having a representative in the security group based on the third option above. (It wouldn't *have* to be you, but it *could* be, and presumably (Frank, can you confirm this?) it would be your choice). This would mean, also, that an "I distribute a mozilla-based product that has no other representation in the security group" would be valid as one of those "legitimate reasons" for applying for the security group. (Disclaimer: I'm just going on what I understood from reading the policy; I had nothing to do with its drafting and if anything I say is important to you, you should check it against the policy yourself or ask someone like Frank who actually knows what he's talking about :) ) Stuart.
