Hi Rich! > -----Original Message----- > From: Roman Danyliw > Sent: Monday, October 26, 2020 7:09 PM > To: 'Salz, Rich' <rsalz@xxxxxxxxxx>; ietf@xxxxxxxx > Subject: RE: Call for Community Feedback: Guidance on Reporting Protocol > Vulnerabilities > > Hi Rich! > > Thanks for the review. > > > -----Original Message----- > > From: Salz, Rich <rsalz@xxxxxxxxxx> > > Sent: Friday, October 23, 2020 3:58 PM > > To: Roman Danyliw <rdd@xxxxxxxx>; ietf@xxxxxxxx > > Subject: Re: Call for Community Feedback: Guidance on Reporting > > Protocol Vulnerabilities > > > > I would put the "WE don't pay" sentence at the top, right after the > > intro paragraph. The introductory section now closes with this "we don't pay" caution: https://github.com/ietf/vul-reporting-guidance/commit/edd6ac432d106482a09199bfb9a139c934249577 Regards, Roman > Yes, that can added more prominently in the initial introductory text. > > Regards, > Roman > > > On 10/23/20, 2:46 PM, "Roman Danyliw" <rdd@xxxxxxxx> wrote: > > > > Hi! > > > > The Internet Engineering Steering Group (IESG) is seeking > > community input on reporting protocol vulnerabilities to the IETF. > > Specifically, the IESG is proposing guidance to be added to the > > website at [1] to raise awareness on how the IETF handles this > > information in the standards process. The full text (which would be > converted to a web page) is at: > > > > https://urldefense.proofpoint.com/v2/url?u=https- > > 3A__www.ietf.org_media_documents_Guidance-5Fon-5FReporting- > > 5FVulnerabilities-5Fto-5Fthe-5FIETF- > > > 5FsqEX1Ly.pdf&d=DwIFAg&c=96ZbZZcaMF4w0F4jpN6LZg&r=4LM0GbR0h9Fvx8 > > 6FtsKI- > > w&m=ZJ9CHNaxYta4Rwzv9CsBCZ7S64SWbQDTXAsV8KWP_AU&s=WZ8lhkI2- > > LqfcEW09br2ItDhqh8U456y_8xZlTzatI0&e= > > > > This text is intended to be written in an accessible style to help > > vulnerability researchers, who may not be familiar with the IETF, > > navigate existing processes to disclose and remediate these > > vulnerabilities. With the exception of creating a last resort > > reporting email alias (protocol-vulnerability@xxxxxxxx), this text is > > describing current practices in the IETF, albeit ones that may not be > consistently applied. > > > > This guidance will serve as a complement to the recently written > > IETF LLC infrastructure and protocol vulnerability disclosure statement [2]. > > > > The IESG appreciates any input from the community on the proposed > > text and will consider all input received by November 7, 2020. > > > > Regards, > > Roman > > (for the IESG) > > > > [1] This guidance text would be added to a new URL at > > https://urldefense.proofpoint.com/v2/url?u=https- > > > 3A__www.ietf.org_standards_rfcs_vulnerabilities&d=DwIFAg&c=96ZbZZcaMF4 > > w0F4jpN6LZg&r=4LM0GbR0h9Fvx86FtsKI- > > > w&m=ZJ9CHNaxYta4Rwzv9CsBCZ7S64SWbQDTXAsV8KWP_AU&s=lWrYlX1pV0 > > mIGIcyUbXXN4Bl4YdeeGExr508slPDgW8&e= , and then referenced from > > https://urldefense.proofpoint.com/v2/url?u=http- > > > 3A__www.ietf.org_contact&d=DwIFAg&c=96ZbZZcaMF4w0F4jpN6LZg&r=4LM0 > > GbR0h9Fvx86FtsKI- > > > w&m=ZJ9CHNaxYta4Rwzv9CsBCZ7S64SWbQDTXAsV8KWP_AU&s=dVVEqnGAgx > > YTWKmevWh2AwAdymUCMQGs85MMBB2FYPs&e= , > > https://urldefense.proofpoint.com/v2/url?u=https- > > > 3A__www.ietf.org_standards_process_&d=DwIFAg&c=96ZbZZcaMF4w0F4jpN6 > > LZg&r=4LM0GbR0h9Fvx86FtsKI- > > w&m=ZJ9CHNaxYta4Rwzv9CsBCZ7S64SWbQDTXAsV8KWP_AU&s=A2QnAr- > > kezfIPFF3J92rsAfyrfHzpdFR2gquELSO_5w&e= , > > https://urldefense.proofpoint.com/v2/url?u=https- > > > 3A__www.ietf.org_standards_rfcs_&d=DwIFAg&c=96ZbZZcaMF4w0F4jpN6LZg > > &r=4LM0GbR0h9Fvx86FtsKI- > > > w&m=ZJ9CHNaxYta4Rwzv9CsBCZ7S64SWbQDTXAsV8KWP_AU&s=KtvC1SVlfZT > > cFhsHQ9RvF_nm856pcSrouxEKNahI5UQ&e= , and > > https://urldefense.proofpoint.com/v2/url?u=https- > > > 3A__www.ietf.org_topics_security_&d=DwIFAg&c=96ZbZZcaMF4w0F4jpN6LZg > > &r=4LM0GbR0h9Fvx86FtsKI- > > > w&m=ZJ9CHNaxYta4Rwzv9CsBCZ7S64SWbQDTXAsV8KWP_AU&s=EN9keXxRYE > > MvBt-h9ugFVkY3-MUUAv-X9mP7OpOa_po&e= > > > > [2] https://urldefense.proofpoint.com/v2/url?u=https- > > 3A__www.ietf.org_about_administration_policies-2Dprocedures_vulnerabil > > ity- > > > 2Ddisclosure&d=DwIFAg&c=96ZbZZcaMF4w0F4jpN6LZg&r=4LM0GbR0h9Fvx86 > > FtsKI- > > > w&m=ZJ9CHNaxYta4Rwzv9CsBCZ7S64SWbQDTXAsV8KWP_AU&s=VAKeetf0jcE > > omZCLvqzNjCqSADPvsRZPugO5CUryXDI&e= > > > >