> On 6/08/2020, at 8:22 AM, Randy Bush <randy@xxxxxxx> wrote: > > i had planned to drop the thread, but mirja beat me up for being > obscure. so my apologies for trying again. > > first, i am an amateur here. i do some opsec, have taught, but am not > an expert. which is why i passed it to a friend with deeper expertise. > > embargo periods seem to vary. but my amateur observation is that the > mode seems to be 90 days. as long as it is not ridiculous, i would > prefer not to have a dog in this fight. As noted twice now, adding a deadline is reasonable as is 90 days for that deadline and that has already been included in the latest update. > > but the issue my friend raised which concerns me more is adding more a > restrictive "Limitations" section than already covered by law and custom. > i am a researcher. i have dabbled in opsec research, and conducted > attacks on the live global internet for that purpose, e.g. see [0]. > real researchers act responsibly. attackers do not. do not deter and > further complicate the lives of the researchers who are trying to help > you deter the attackers. > > the ietf is not a special snowflake, just a noisy one. Indeed and this proposed policy is in no way a special snowflake policy. Please remember that the limitations section goes hand-in-hand with the commitment not to take legal action against those that follow the policy. Without the former the latter is not possible and the latter is regarded as important by security researchers. Here are just two examples of suspiciously similar looking policies replete with both limitations and a commitment regarding legal action: https://trust.salesforce.com/en/security/responsible-disclosure-policy/ https://www.okta.com/vulnerability-reporting-policy/ To understand just how common it is to have these limitations you can take this one: "Accessing, or attempting to access, data or information that you are not authorised to access" and use the original version before our slight amendment "Accessing, or attempting to access, data or information that does not belong to you" and do a web search for that, which should provide sufficient evidence that this is not overly invented. BTW When I told you earlier that the sec ADs had reviewed this I was only partially correct, one did but not the other. Apologies for that. Jay > > randy > > > [0] - https://archive.psg.com/181101.imc-communities.pdf > -- Jay Daley IETF Executive Director jay@xxxxxxxx
