Re: Call for Community Feedback: Guidance on Reporting Protocol Vulnerabilities

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 28 Oct 2020, at 12:00, Eliot Lear wrote:

This is where I think there may be some subtle issue, and I don’t want to make this all about Mike.  Many researchers have no equities in our organization.  They may not even have a fix available for the very problem that they have found.  We have red teams for a reason: it’s just a different muscle.  So they see their job as finished when they’ve reported.  And then they’re on to the next thing.  That’s their incentive model.  Mike just happens to care more than most, but we shouldn’t optimize around him.

Lest there be any question: I completely agree with you on the above Eliot. The proposal on the table from the IESG that Roman posted is a great start into how to deal with exactly those researchers you are talking about, and I fully support the idea. I don't want those folks to have to wade through the rest of IETF process if they have no intention to be part of the whole kit and caboodle of WG protocol development. The one and only thing I was responding to was Mike's analysis of the core problem based on his personal experiences. He is not like one of those researchers in that he does participate in the IETF as a regular participant, and we should absolutely not be optimizing around the cases he's concerned with.

pr
--
Pete Resnick https://www.episteme.net/
All connections to the world are tenuous at best




[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Mhonarc]     [Fedora Users]

  Powered by Linux