[gnutls-devel] handling security issues

Nikos Mavrogiannopoulos n.mavrogiannopoulos at gmail.com
Wed Feb 22 13:16:00 CET 2017


On Tue, Feb 21, 2017 at 2:06 PM, Daniel P. Berrange <berrange at redhat.com> wrote:
> On Tue, Feb 21, 2017 at 01:38:45PM +0100, Nikos Mavrogiannopoulos wrote:
>> Hi,
>>  I've tried to make the current ad-hoc handling of security issues
>> with something more formally defined at:
>> https://gitlab.com/gnutls/gnutls/blob/master/SECURITY.md
>>
>> My goal is to establish some more objective criteria than my opinion
>> on when an issue will be handled as a security issue and an advisory
>> will be issued. In the text above I've used the CVSS scoring which
>> seems to be generic and objective enough. Any comments or suggestions
>> on the above text?
> The text indicates a permissible 3 month window between bug report
> and comitting of a fix. Can you clarify that further, in particular
> does that mean you'd accept requests for many month long embargo
> periods on non-public bug reports ?

I meant it to be as an upper bound on the time between report and fix.
Do you suggest that we make a distinction between that time and the
acceptable embargo time imposed by reporters?

> As an app dev using gnutls, I'd like to think the time between security
> bugs being reported & info + fix being made public, would be measured
> in days, or weeks, and certainly no more than 1 month at a maximum.

Certainly and I believe the average time of fixes is typically counted
in days (though fixes get bundled in the monthly based release).
However, there cannot be strict SLAs, but more like recommended
guidelines/principles.

regards,
Nikos



More information about the Gnutls-devel mailing list