Re: security contact draft
From: Chris Wright
Date: Thu Jan 13 2005 - 19:16:27 EST
* Alan Cox (alan@xxxxxxxxxxxxxxxxxxx) wrote:
> On Iau, 2005-01-13 at 20:55, Chris Wright wrote:
> > To keep the conversation concrete, here's a pretty rough stab at
> > documenting the policy.
>
> It's not documenting the stuff Linus seems to be talking about which is
> a public list ? Or does Linus want both ?
I got the impression that Linus was in favor of the private one,
despite his own leanings to absolute openness. I think a public one
(lkml notwithstanding) would be great for advisory announcements.
> > It is preferred that mail sent to the security contact is encrypted
> > with $PUBKEY.
>
> https:// and bugs.kernel.org ? You can make bugzilla autoprivate
> security bugs and alert people.
Yeah, I had thought about that too. Not a real bugzilla fan, but I'm
not tied to any particular method here.
> > well-tested or for vendor coordination. However, we expect these delays
> > to be short, measurable in days, not weeks or months. As a basic default
> > policy, we expect report to disclosure to be on the order of $NUMDAYS.
>
> Sounds good. $NUMDAYS is going to require some debate. My gut feeling is
> 14 days is probably the right kind of target for hard stuff remembering
> how long it takes to run QA on an enterprise grade kernel. If it gets
> too short then vendors are going to disclose elsewhere for their own
> findings and only to this list when they are all ready anyway which
> takes us back to square one.
>
> And many are probably a lot less - those nobody is going to rush out and
> build new vendor kernels for, or those that prove to be non serious can
> probably get bumped to the public list by the security officer within a
> day or two.
Yup, I think the severity and ease of exploit are part of the discussion
around disclosure timeframe.
thanks,
-chris
--
Linux Security Modules http://lsm.immunix.org http://lsm.bkbits.net
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/