|[eclipse.org-architecture-council] [Bug 337006] New: Security procedures: Disclosure|
https://bugs.eclipse.org/bugs/show_bug.cgi?id=337006 Product/Component: Community / Architecture Council Summary: Security procedures: Disclosure Classification: Eclipse Foundation Product: Community Version: unspecified Platform: PC OS/Version: Linux Status: NEW Severity: normal Priority: P3 Component: Architecture Council AssignedTo: eclipse.org-architecture-council@xxxxxxxxxxx ReportedBy: wayne@xxxxxxxxxxx Blocks: 337004 How/when do we disclose security issues? One important consideration is that would-be evil-doers can use the disclosed vulnerability in an attack against unpatched installations. But people can't protect themselves against attack if they don't know about the problem and fix. Of course, this sort of discussion ends up being very circular. Ultimately, I believe that security issues need to be reported to the general population. As discussed in Bug 337005, we have the ability to mark Bugzillas as "committers-only". When do we turn off this flag? The Bugzilla Project uses a progressive disclosure strategy to disclose. The team contacts the people they know and trust who are using Bugzilla and inform them (by adding them to the cc list of the bug) of the issue and invite them to apply the patch. Those folks who are in the "circle of trust" can themselves invite in others that they know. It happens very organically. Should we explore something similar? When a fix is available, the project can add known and trusted adopters and users to the conversation. Once everybody has had sufficient opportunity to apply the patches and prepare, the rest of the world can be informed. We might also consider a disclosure to the whole membership ahead of open disclosure. What do we do if a patch is just taking too long, or simply cannot be produced? I think that we should leave it to the project's discretion (they know their community best) to decide if early disclosure makes sense (i.e. allow consumers to prepare). Opening up the bug (turning off the "committers-only" flag) is a sort of quiet disclosure; nobody new will find out about the bug unless they come across it as part of a search. How should we inform the broader community? Tweet? RSS? Wiki Page? Blog? It's probably a good idea to have a single place on eclipse.org where all vulnerabilities can be discovered. Or is that a good idea? -- Configure bugmail: https://bugs.eclipse.org/bugs/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug.
Back to the top