On Fri, Oct 23, 2020 at 10:47 PM Roman Danyliw <rdd@xxxxxxxx> wrote: > > Hi! > > The Internet Engineering Steering Group (IESG) is seeking community input on reporting protocol vulnerabilities to the IETF. Specifically, the IESG is proposing guidance to be added to the website at [1] to raise awareness on how the IETF handles this information in the standards process. The full text (which would be converted to a web page) is at: > > https://www.ietf.org/media/documents/Guidance_on_Reporting_Vulnerabilities_to_the_IETF_sqEX1Ly.pdf > > This text is intended to be written in an accessible style to help vulnerability researchers, who may not be familiar with the IETF, navigate existing processes to disclose and remediate these vulnerabilities. With the exception of creating a last resort reporting email alias (protocol-vulnerability@xxxxxxxx), this text is describing current practices in the IETF, albeit ones that may not be consistently applied. I've spoken to a few security researchers and asked why they aren't willing to talk to the IETF. From their reply, it seems that they see the IETF as being "complicated". I welcome the document as it's a step forward in the right direction. There have been cases where security researchers feel that the organizations are taking too long and then they decide to publish full details including Proof of Concept. I think that the document should encourage researchers to wait before releasing full PoC until the proper errata has been published. > > This guidance will serve as a complement to the recently written IETF LLC infrastructure and protocol vulnerability disclosure statement [2]. > > The IESG appreciates any input from the community on the proposed text and will consider all input received by November 7, 2020. > > Regards, > Roman > (for the IESG) > > [1] This guidance text would be added to a new URL at https://www.ietf.org/standards/rfcs/vulnerabilities, and then referenced from www.ietf.org/contact, https://www.ietf.org/standards/process/, https://www.ietf.org/standards/rfcs/, and https://www.ietf.org/topics/security/ > > [2] https://www.ietf.org/about/administration/policies-procedures/vulnerability-disclosure > >
