Re: Call for Community Feedback: Guidance on Reporting Protocol Vulnerabilities

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi Jay


To unpick this we need to consider the perspective of potential reporters and their different motivations:

1.  People who already know the IETF will already know that they can contact the appropriate WG and/or authors and so don’t need to be told that.  If they don’t have a problem with that then there’s nothing to be done, but if they believe that this approach will not work then an alternate mechanism is needed.  The text above suggests that this is not an alternative mechanism, simply an issue routing support mechanism, and so is unlikely to address that need.

Our people have no need of any of this.  They understand our processes, and know how to maneuver them.  This document doesn’t really address them.


2.  In my experience, vulnerability reporters who do not know the organisation they are reporting to want to know that the organisation commits to seriously consider the result, and want a simple, centralised mechanism for reporting.  People who do not know the IETF will struggle to find the appropriate WG and/or authors and so hopefully skip to the single email address, but the positioning of that has no suggestion of either commitment or seriousness and so I don’t think that meets their needs either.

Yes, they will struggle to find the appropriate working group.  As to positioning...



To be clear, when I say "commitment" I don’t mean "I commit to fix this problem" but "I commit to ensure this problem is put before the right people and given proper consideration".

… PRs welcome ;-).

Eliot
[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Mhonarc]     [Fedora Users]

  Powered by Linux