Salz, Rich <rsalz=40akamai.com@xxxxxxxxxxxxxx> wrote:
>> Having worked on OpenSSL for many years, the absolute worst thing you
>> can do is not respond to reported vulnerabilities. Even if it’s just an
>> auto-reply that says “thanks we got it.”
Agreed. And this is a place where I think it's worth having a link sent to
them that they can manage their report. (With a JWT bearer token of course)
That way, we can age-out reports for which the link was never followed,
otherwise the spam load is going to kill us.
> I also think it would be worth pointing out more strongly that we are
> interested in *protocol* errors, not *implementation* errors, and
> making that distinction clear.
Given the number of people who can't distinguish openssh from openssl, I am
rather skeptical that we will get far here. I think that we will need a
button sending implementation/protocol FAQ, and it's probably not
unreasonable that we might need three iterations to get that explanation
right, and perhaps even engage some kind of communications expert to help us
draft it.
--
Michael Richardson <mcr+IETF@xxxxxxxxxxxx> . o O ( IPv6 IøT consulting )
Sandelman Software Works Inc, Ottawa and Worldwide
Attachment:
signature.asc
Description: PGP signature
