On 2/11/2003 1:05 AM Mitchell Baker cranked up the brainbox and said: > A few weeks back I proposed a change to the mozilla.org policy on > handling security bugs. Having received no objections, we're revising > the policy as previously described. The revisions allow a member of the > security group who is part of an organization shipping Mozilla-based > products to share information within that organization, with some > constraints. > > The current version can be found at > http://www.mozilla.org/projects/security/security-bugs-policy.html.
Seems to be an excellent piece of work. Fair, well laid out, and thorough. One potential point of conflict though: Under Disclosure: "Please try not to keep bugs in the security-sensitive category for an unreasonably long amount of time." I think this needs some teeth. Either a real limit, or expanding the statement to say something like: "Should there be a concensus that any vendors have had ample time to patch their products, bugs may be disclosed to the public regardless of if patches exist. A vendor's "legitimate need" is not an indefinte deferral." People (vendors and uses alike) need to know that it is unacceptable to keep bugs private for many many months without any work at resolution. The Security flag should not be counted on as a fix in-abscentia of actual patches to products. Sometimes the Sword of Damocles is useful... -- jesus X [ Booze-fueled paragon of pointless cruelty and wanton sadism. ] email [ jesus_x @ mozillanews.org ] web [ http://www.mozillanews.org ] query [ And which parallel universe did you crawl out of? ] warning [ Go away or I shall replace you with a very small shell script. ] Memorium [ Rick D. Husband, William C. McCool, Michael P. Anderson ] [ David M. Brown, Kalpana Chawla, Laurel Clark ]
