Vulnerability Disclosure Policy Feedback from Daniel Beck #156
Comments
|
Do you have any suggested re-wording you'd prefer to see around this policy? |
|
@JLLeitschuh Thanks for moving this to a far nicer platform! I do not really have suggestions for changes to the policy, as right now I'm trying to understand why it looks like it does. The policy gives no time for maintainers to react if a 90 day deadline is communicated first, and only later active exploitation is noticed. While maintainers have at least seven days either way, those seven days look a lot different between "we'll publish in 7 days" and "we'll publish in 90+14 days". In the former case, I'd expect an all-hands-on-deck situation, while in the latter, work may barely have started ~7 days after the report, and the maintainers may not be in a situation any different from having no heads up warning at all. If the goal of schedule acceleration is to protect users by giving them the information they need to protect themselves immediately after noticing exploitation, it is unclear to me why maintainers are given 7 days in the "exploitation first, then report" scenario. That seems to go against this statement:
Given the above, I would appreciate an explanation why these cases are treated so differently, seemingly not taking into account the very different situations maintainers are in, depending on whether the issue or the exploitation was identified first. (And FWIW I would assume exploitation to have been ongoing on average for far longer if that was identified first, which makes it even more surprising that the policy is willing to give extra time in this case.) |
This thread is here to invite conversation about the following thread on X
https://x.com/danielbeck/status/1860319504984617467?s=46
The text was updated successfully, but these errors were encountered: