Re: Known security vulnerabilities page

[Ben Bucksch]

Boris, full ACK. I have not followed the press, but I do know that the current situation is bad.

What I proposed (when the policy was formed), and where I would probably be willing to formally participate, is to warn users about bugs as soon as we know about them. Write

* the bugnumber,
* a summary of the bug,
* the vulnerability (incl. an assessment of the severity),
* a workaround (if known),
* but without exploit and without disclosing the bugzilla bug
(because Netscape doesn't want that).

Post that information on a security-announce list and on the webpage. Update (both newsgroup and webpage) as soon as a fix is available.

Re press: This would give transparency, we wouldn't be blamed several times for the same bug (because of the ID) and most importantly, we hopefully wouldn't be blamed for bugs that have already been fixed (and the fix shipped).

Re distributors: This would make the work of distributors a whole of a lot easier, because they don't have to wade through all the bugs and make an assessment themselves and try to figure out, when and where a bug is fixed. They have an easy to understand list of security bugs existant in their products and can make a decision when they want to push a new release. They would also have boiler-plate security advisories to be distributed to their users.

Re users: Users would be a lot more secure, because distributors have it easier to warn them and users can take precautions until a bug is fixed (which can take months, given current experiences, just check the old, disclosed bugs).

The major roadblock is to agree that this procedure is wanted. Sorry for bringing that up again, but it seems like current policy and its implementation does not work.

Ben Bucksch
Beonex