Re: security contact draft

From: Alan Cox
Date: Thu Jan 13 2005 - 16:26:22 EST


On Iau, 2005-01-13 at 20:55, Chris Wright wrote:
> To keep the conversation concrete, here's a pretty rough stab at
> documenting the policy.

It's not documenting the stuff Linus seems to be talking about which is
a public list ? Or does Linus want both ?

> It is preferred that mail sent to the security contact is encrypted
> with $PUBKEY.

https:// and bugs.kernel.org ? You can make bugzilla autoprivate
security bugs and alert people.

> well-tested or for vendor coordination. However, we expect these delays
> to be short, measurable in days, not weeks or months. As a basic default
> policy, we expect report to disclosure to be on the order of $NUMDAYS.

Sounds good. $NUMDAYS is going to require some debate. My gut feeling is
14 days is probably the right kind of target for hard stuff remembering
how long it takes to run QA on an enterprise grade kernel. If it gets
too short then vendors are going to disclose elsewhere for their own
findings and only to this list when they are all ready anyway which
takes us back to square one.

And many are probably a lot less - those nobody is going to rush out and
build new vendor kernels for, or those that prove to be non serious can
probably get bumped to the public list by the security officer within a
day or two.

Alan

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/