Ben Bucksch wrote: > > The policy isn't working. ... > [...] can we use full disclosure now?
I don't think you've demonstrated problems with the policy but rather that we have to do a better job implementing it. A *much* better job. > * Public security bug lists [...] > per policy only list *fixed* bugs anyways. Not true, there are guidelines for issuing immediate warnings http://www.mozilla.org/projects/security/security-bugs-policy.html#disclosure If we haven't done so when appropriate that's a failure of the security group, not the policy. As a member of that group you share in that failing. > I propose the following changes to the policy and procedure: A good starting point for discussion, that's what the security group mailing list is for (not, I should point out, [EMAIL PROTECTED] cc'd in this thread, which is for reporting potential problems). If you'd raise these points there I'm sure we could improve things greatly. -Dan Veditz _______________________________________________ Mozilla-security mailing list [EMAIL PROTECTED] http://mail.mozilla.org/listinfo/mozilla-security
