[gnutls-devel] handling security issues
Daniel P. Berrange
berrange at redhat.com
Tue Feb 21 14:06:09 CET 2017
On Tue, Feb 21, 2017 at 01:38:45PM +0100, Nikos Mavrogiannopoulos wrote:
> Hi,
> I've tried to make the current ad-hoc handling of security issues
> with something more formally defined at:
> https://gitlab.com/gnutls/gnutls/blob/master/SECURITY.md
>
> My goal is to establish some more objective criteria than my opinion
> on when an issue will be handled as a security issue and an advisory
> will be issued. In the text above I've used the CVSS scoring which
> seems to be generic and objective enough. Any comments or suggestions
> on the above text?
The text indicates a permissible 3 month window between bug report
and comitting of a fix. Can you clarify that further, in particular
does that mean you'd accept requests for many month long embargo
periods on non-public bug reports ?
As an app dev using gnutls, I'd like to think the time between security
bugs being reported & info + fix being made public, would be measured
in days, or weeks, and certainly no more than 1 month at a maximum.
Regards,
Daniel
--
|: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org -o- http://virt-manager.org :|
|: http://entangle-photo.org -o- http://search.cpan.org/~danberr/ :|
More information about the Gnutls-devel
mailing list