> >Is clear that the second process -- intending to also take an ethical
> >path for disclosure -- should not specifically exclude a part of the
> >community.
>
> They specifically exclude parts of the community that specifically
> say they don't want to be INCLUDED.
>
> See: http://seclists.org/oss-sec/2014/q2/233
Dear Anonymous,
That discussion is unrelated. I made a personal statement that I did
not wish to participate in another private mailing list, stating my
reasons as clearly as I could.
My personal participation in such a mailing list is very distinct from
OpenSSL's social responsibility to inform
- the 10+ developers working on LibreSSL (I am only a minor
part of that sub-group).
- the security-concerned sub-group of OpenBSD (I play a big
part in that, but not in regards to the SSL subset, so at
most I would have handed this to the LibreSSL subgroup)
Dr. Henson of OpenSSL knew who to contact.
The other members of the private mailing list were witness to
the disclosure gap.
The choice was made there. I cannot be held responsible for this
lack of notification.
