[gnutls-devel] handling security issues

Nikos Mavrogiannopoulos n.mavrogiannopoulos at gmail.com
Wed Feb 22 16:42:46 CET 2017


On Wed, Feb 22, 2017 at 1:19 PM, Daniel P. Berrange <berrange at redhat.com> wrote:
> On Wed, Feb 22, 2017 at 01:16:00PM +0100, Nikos Mavrogiannopoulos wrote:
>> On Tue, Feb 21, 2017 at 2:06 PM, Daniel P. Berrange <berrange at redhat.com> wrote:
>> > On Tue, Feb 21, 2017 at 01:38:45PM +0100, Nikos Mavrogiannopoulos wrote:
>> >> Hi,
>> >>  I've tried to make the current ad-hoc handling of security issues
>> >> with something more formally defined at:
>> >> https://gitlab.com/gnutls/gnutls/blob/master/SECURITY.md
>> >>
>> >> My goal is to establish some more objective criteria than my opinion
>> >> on when an issue will be handled as a security issue and an advisory
>> >> will be issued. In the text above I've used the CVSS scoring which
>> >> seems to be generic and objective enough. Any comments or suggestions
>> >> on the above text?
>> > The text indicates a permissible 3 month window between bug report
>> > and comitting of a fix. Can you clarify that further, in particular
>> > does that mean you'd accept requests for many month long embargo
>> > periods on non-public bug reports ?
>>
>> I meant it to be as an upper bound on the time between report and fix.
>> Do you suggest that we make a distinction between that time and the
>> acceptable embargo time imposed by reporters?
>
> Yeah, if you consider acceptable embargo times to be different/less than
> this 3 month upper bound for code fix, then I think it'd be worth making
> that explicit so people don't mis-interpret it as I did.

Do you mean something like amending with:
"Issues reported by third parties which request an embargo time of less than
two weeks are granted. Otherwise the issue is handled as soon as possible
and committed at two weeks time, or when available."


regards,
Nikos



More information about the Gnutls-devel mailing list