[ relaying for a friend ]
It's missing a commitment to remedy problems promptly.
I don't regard "We aim to address all validated vulnerabilities
that are brought to our attention as quickly as possible" as
sufficient.
And the "Limitations" section needs work―you often don't
know there's a problem without a slight violation of those
terms.
[ i add ]
as it differs significantly from the policies of many others, i suspect
it was overly invented as opposed to borrowed. this is not fashion in
security.
the current fashion in disclosure window length is 90 days. no, i do
not know why if is not three months; but i am sure this list could
discuss that difference for 90 days.
the llc's proposal should be an internet-draft, please.
randy
