[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
[eclipse.org-architecture-council] [Bug 337006] New: Security procedures: Disclosure

https://bugs.eclipse.org/bugs/show_bug.cgi?id=337006
Product/Component: Community / Architecture Council

           Summary: Security procedures: Disclosure
    Classification: Eclipse Foundation
           Product: Community
           Version: unspecified
          Platform: PC
        OS/Version: Linux
            Status: NEW
          Severity: normal
          Priority: P3
         Component: Architecture Council
        AssignedTo: eclipse.org-architecture-council@xxxxxxxxxxx
        ReportedBy: wayne@xxxxxxxxxxx
            Blocks: 337004


How/when do we disclose security issues?

One important consideration is that would-be evil-doers can use the disclosed
vulnerability in an attack against unpatched installations. But people can't
protect themselves against attack if they don't know about the problem and fix.
Of course, this sort of discussion ends up being very circular. Ultimately, I
believe that security issues need to be reported to the general population.

As discussed in Bug 337005, we have the ability to mark Bugzillas as
"committers-only". When do we turn off this flag?

The Bugzilla Project uses a progressive disclosure strategy to disclose. The
team contacts the people they know and trust who are using Bugzilla and inform
them (by adding them to the cc list of the bug) of the issue and invite them to
apply the patch. Those folks who are in the "circle of trust" can themselves
invite in others that they know. It happens very organically.

Should we explore something similar?

When a fix is available, the project can add known and trusted adopters and
users to the conversation. Once everybody has had sufficient opportunity to
apply the patches and prepare, the rest of the world can be informed.

We might also consider a disclosure to the whole membership ahead of open
disclosure.

What do we do if a patch is just taking too long, or simply cannot be produced?
I think that we should leave it to the project's discretion (they know their
community best) to decide if early disclosure makes sense (i.e. allow consumers
to prepare).

Opening up the bug (turning off the "committers-only" flag) is a sort of quiet
disclosure; nobody new will find out about the bug unless they come across it
as part of a search. How should we inform the broader community? Tweet? RSS?
Wiki Page? Blog? 

It's probably a good idea to have a single place on eclipse.org where all
vulnerabilities can be discovered. Or is that a good idea?

-- 
Configure bugmail: https://bugs.eclipse.org/bugs/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.