Hi Rich! Thanks for the review. > -----Original Message----- > From: Salz, Rich <rsalz@xxxxxxxxxx> > Sent: Friday, October 23, 2020 3:58 PM > To: Roman Danyliw <rdd@xxxxxxxx>; ietf@xxxxxxxx > Subject: Re: Call for Community Feedback: Guidance on Reporting Protocol > Vulnerabilities > > I would put the "WE don't pay" sentence at the top, right after the intro > paragraph. Yes, that can added more prominently in the initial introductory text. Regards, Roman > On 10/23/20, 2:46 PM, "Roman Danyliw" <rdd@xxxxxxxx> wrote: > > Hi! > > The Internet Engineering Steering Group (IESG) is seeking community input > on reporting protocol vulnerabilities to the IETF. Specifically, the IESG is > proposing guidance to be added to the website at [1] to raise awareness on > how the IETF handles this information in the standards process. The full text > (which would be converted to a web page) is at: > > https://urldefense.proofpoint.com/v2/url?u=https- > 3A__www.ietf.org_media_documents_Guidance-5Fon-5FReporting- > 5FVulnerabilities-5Fto-5Fthe-5FIETF- > 5FsqEX1Ly.pdf&d=DwIFAg&c=96ZbZZcaMF4w0F4jpN6LZg&r=4LM0GbR0h9Fvx8 > 6FtsKI- > w&m=ZJ9CHNaxYta4Rwzv9CsBCZ7S64SWbQDTXAsV8KWP_AU&s=WZ8lhkI2- > LqfcEW09br2ItDhqh8U456y_8xZlTzatI0&e= > > This text is intended to be written in an accessible style to help vulnerability > researchers, who may not be familiar with the IETF, navigate existing processes > to disclose and remediate these vulnerabilities. With the exception of creating > a last resort reporting email alias (protocol-vulnerability@xxxxxxxx), this text is > describing current practices in the IETF, albeit ones that may not be > consistently applied. > > This guidance will serve as a complement to the recently written IETF LLC > infrastructure and protocol vulnerability disclosure statement [2]. > > The IESG appreciates any input from the community on the proposed text > and will consider all input received by November 7, 2020. > > Regards, > Roman > (for the IESG) > > [1] This guidance text would be added to a new URL at > https://urldefense.proofpoint.com/v2/url?u=https- > 3A__www.ietf.org_standards_rfcs_vulnerabilities&d=DwIFAg&c=96ZbZZcaMF4 > w0F4jpN6LZg&r=4LM0GbR0h9Fvx86FtsKI- > w&m=ZJ9CHNaxYta4Rwzv9CsBCZ7S64SWbQDTXAsV8KWP_AU&s=lWrYlX1pV0 > mIGIcyUbXXN4Bl4YdeeGExr508slPDgW8&e= , and then referenced from > https://urldefense.proofpoint.com/v2/url?u=http- > 3A__www.ietf.org_contact&d=DwIFAg&c=96ZbZZcaMF4w0F4jpN6LZg&r=4LM0 > GbR0h9Fvx86FtsKI- > w&m=ZJ9CHNaxYta4Rwzv9CsBCZ7S64SWbQDTXAsV8KWP_AU&s=dVVEqnGAgx > YTWKmevWh2AwAdymUCMQGs85MMBB2FYPs&e= , > https://urldefense.proofpoint.com/v2/url?u=https- > 3A__www.ietf.org_standards_process_&d=DwIFAg&c=96ZbZZcaMF4w0F4jpN6 > LZg&r=4LM0GbR0h9Fvx86FtsKI- > w&m=ZJ9CHNaxYta4Rwzv9CsBCZ7S64SWbQDTXAsV8KWP_AU&s=A2QnAr- > kezfIPFF3J92rsAfyrfHzpdFR2gquELSO_5w&e= , > https://urldefense.proofpoint.com/v2/url?u=https- > 3A__www.ietf.org_standards_rfcs_&d=DwIFAg&c=96ZbZZcaMF4w0F4jpN6LZg > &r=4LM0GbR0h9Fvx86FtsKI- > w&m=ZJ9CHNaxYta4Rwzv9CsBCZ7S64SWbQDTXAsV8KWP_AU&s=KtvC1SVlfZT > cFhsHQ9RvF_nm856pcSrouxEKNahI5UQ&e= , and > https://urldefense.proofpoint.com/v2/url?u=https- > 3A__www.ietf.org_topics_security_&d=DwIFAg&c=96ZbZZcaMF4w0F4jpN6LZg > &r=4LM0GbR0h9Fvx86FtsKI- > w&m=ZJ9CHNaxYta4Rwzv9CsBCZ7S64SWbQDTXAsV8KWP_AU&s=EN9keXxRYE > MvBt-h9ugFVkY3-MUUAv-X9mP7OpOa_po&e= > > [2] https://urldefense.proofpoint.com/v2/url?u=https- > 3A__www.ietf.org_about_administration_policies-2Dprocedures_vulnerability- > 2Ddisclosure&d=DwIFAg&c=96ZbZZcaMF4w0F4jpN6LZg&r=4LM0GbR0h9Fvx86 > FtsKI- > w&m=ZJ9CHNaxYta4Rwzv9CsBCZ7S64SWbQDTXAsV8KWP_AU&s=VAKeetf0jcE > omZCLvqzNjCqSADPvsRZPugO5CUryXDI&e= > >
