[gnutls-devel] handling security issues

Daniel P. Berrange berrange at redhat.com
Tue Feb 21 14:06:09 CET 2017

On Tue, Feb 21, 2017 at 01:38:45PM +0100, Nikos Mavrogiannopoulos wrote:
> Hi,
>  I've tried to make the current ad-hoc handling of security issues
> with something more formally defined at:
> https://gitlab.com/gnutls/gnutls/blob/master/SECURITY.md
> My goal is to establish some more objective criteria than my opinion
> on when an issue will be handled as a security issue and an advisory
> will be issued. In the text above I've used the CVSS scoring which
> seems to be generic and objective enough. Any comments or suggestions
> on the above text?

The text indicates a permissible 3 month window between bug report
and comitting of a fix. Can you clarify that further, in particular
does that mean you'd accept requests for many month long embargo
periods on non-public bug reports ?

As an app dev using gnutls, I'd like to think the time between security
bugs being reported & info + fix being made public, would be measured
in days, or weeks, and certainly no more than 1 month at a maximum.

|: http://berrange.com      -o-    http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org              -o-             http://virt-manager.org :|
|: http://entangle-photo.org       -o-    http://search.cpan.org/~danberr/ :|

More information about the Gnutls-devel mailing list