On Mon, Oct 26, 2020 at 11:58:33PM +0400, Loganaden Velvindron wrote: > There have been cases where security researchers feel that the > organizations are taking too long and then they decide to publish full > details including Proof of Concept. I think that the document should > encourage researchers to wait before releasing full PoC until the > proper errata has been published. How do you even qualify vulnerabilities as something other than "text we could have added to the security considerations section, but nobody thought the attack vector would be expoited" ? Other question: How do you decide between protocol and implemntation ? E.g.: the distinction between IKEv2/ESP allows me to implement better defense against DoS with advanced endpoint hardware. TLS does not have this. So ... implementation or protocol issue ? Toerless > > This guidance will serve as a complement to the recently written IETF LLC infrastructure and protocol vulnerability disclosure statement [2]. > > > > The IESG appreciates any input from the community on the proposed text and will consider all input received by November 7, 2020. > > > > Regards, > > Roman > > (for the IESG) > > > > [1] This guidance text would be added to a new URL at https://www.ietf.org/standards/rfcs/vulnerabilities, and then referenced from www.ietf.org/contact, https://www.ietf.org/standards/process/, https://www.ietf.org/standards/rfcs/, and https://www.ietf.org/topics/security/ > > > > [2] https://www.ietf.org/about/administration/policies-procedures/vulnerability-disclosure > > > > -- --- tte@xxxxxxxxx
