[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[eclipse.org-architecture-council] [Bug 337006] New: Security procedures: Disclosure
- From: bugzilla-daemon@xxxxxxxxxxx
- Date: Fri, 11 Feb 2011 15:20:56 -0500
- Auto-submitted: auto-generated
- Delivered-to: email@example.com
Product/Component: Community / Architecture Council
Summary: Security procedures: Disclosure
Classification: Eclipse Foundation
Component: Architecture Council
How/when do we disclose security issues?
One important consideration is that would-be evil-doers can use the disclosed
vulnerability in an attack against unpatched installations. But people can't
protect themselves against attack if they don't know about the problem and fix.
Of course, this sort of discussion ends up being very circular. Ultimately, I
believe that security issues need to be reported to the general population.
As discussed in Bug 337005, we have the ability to mark Bugzillas as
"committers-only". When do we turn off this flag?
The Bugzilla Project uses a progressive disclosure strategy to disclose. The
team contacts the people they know and trust who are using Bugzilla and inform
them (by adding them to the cc list of the bug) of the issue and invite them to
apply the patch. Those folks who are in the "circle of trust" can themselves
invite in others that they know. It happens very organically.
Should we explore something similar?
When a fix is available, the project can add known and trusted adopters and
users to the conversation. Once everybody has had sufficient opportunity to
apply the patches and prepare, the rest of the world can be informed.
We might also consider a disclosure to the whole membership ahead of open
What do we do if a patch is just taking too long, or simply cannot be produced?
I think that we should leave it to the project's discretion (they know their
community best) to decide if early disclosure makes sense (i.e. allow consumers
Opening up the bug (turning off the "committers-only" flag) is a sort of quiet
disclosure; nobody new will find out about the bug unless they come across it
as part of a search. How should we inform the broader community? Tweet? RSS?
Wiki Page? Blog?
It's probably a good idea to have a single place on eclipse.org where all
vulnerabilities can be discovered. Or is that a good idea?
Configure bugmail: https://bugs.eclipse.org/bugs/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.