[gnutls-devel] handling security issues

Daniel P. Berrange berrange at redhat.com
Wed Feb 22 13:19:31 CET 2017 

On Wed, Feb 22, 2017 at 01:16:00PM +0100, Nikos Mavrogiannopoulos wrote:
> On Tue, Feb 21, 2017 at 2:06 PM, Daniel P. Berrange <berrange at redhat.com> wrote:
> > On Tue, Feb 21, 2017 at 01:38:45PM +0100, Nikos Mavrogiannopoulos wrote:
> >> Hi,
> >>  I've tried to make the current ad-hoc handling of security issues
> >> with something more formally defined at:
> >> https://gitlab.com/gnutls/gnutls/blob/master/SECURITY.md
> >>
> >> My goal is to establish some more objective criteria than my opinion
> >> on when an issue will be handled as a security issue and an advisory
> >> will be issued. In the text above I've used the CVSS scoring which
> >> seems to be generic and objective enough. Any comments or suggestions
> >> on the above text?
> > The text indicates a permissible 3 month window between bug report
> > and comitting of a fix. Can you clarify that further, in particular
> > does that mean you'd accept requests for many month long embargo
> > periods on non-public bug reports ?
> 
> I meant it to be as an upper bound on the time between report and fix.
> Do you suggest that we make a distinction between that time and the
> acceptable embargo time imposed by reporters?

Yeah, if you consider acceptable embargo times to be different/less than
this 3 month upper bound for code fix, then I think it'd be worth making
that explicit so people don't mis-interpret it as I did.

> > As an app dev using gnutls, I'd like to think the time between security
> > bugs being reported & info + fix being made public, would be measured
> > in days, or weeks, and certainly no more than 1 month at a maximum.
> 
> Certainly and I believe the average time of fixes is typically counted
> in days (though fixes get bundled in the monthly based release).
> However, there cannot be strict SLAs, but more like recommended
> guidelines/principles.

Yep, understood.

Regards,
Daniel
-- 
|: http://berrange.com      -o-    http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org              -o-             http://virt-manager.org :|
|: http://entangle-photo.org       -o-    http://search.cpan.org/~danberr/ :|

More information about the Gnutls-devel mailing list