Valdis.Kletnieks@vt.edu writes: > The general consensus as I read it was that the christey-wysopal draft was > generally considered a very good and reasonable document. There was quite a bit rejection, and some very profound criticism (the killer argument, IMHO, is that a large part of the industry does not accept _any_ disclosure at all). However, this is now a strawman. The document has clearly been overtaken by events (if it has ever been up-to-date). For example, it ignores that currently, those people who are expected to play the role of Coordinators usually provide paid prepublication access to vulnerability information. The draft does not require Coordinators to keep the information they receive strictly confidental, but I'm not sure if this was the intent of the authors or just an oversight. (I'm sorry for the long Cc: list; I'm not sure if it is appropriate. Please complain if you don't want to receive further messages.)