I would love to see comment on these 2 key questions: (1) > * The proposed mechanism for reporting a vulnerability. When I originally thought about this I was concerned at the default to use email, acknowledging that this is something with which most IETF participants are quite comfortable. I wondered if it might be better to specify that a web interface was the reporting method, which would automatically generate a report ID number on submission that a bug reporter could use for their reference later on. In contrast, an email may not arrive or may be delayed and automatically generating an acknowledgement response with a ticket/tracking number would rely on an additional system that may have communications issues with the email system. It seems like a web-based reporting system may also provide a better level of security protection by encrypting the channel & contents of the communication vs. less secure email. (2) > * What the email address should be for reports to be sent to. @Jay - Can you list the options being considered here to help aid the discussion? Thanks Jason
