Hi! Thank you for all of the public and private feedback on this proposed text. As a result, I think we have much better guidance to post. There are a few outstanding editorial issues to address which will occur prior publishing. Thanks again! Regards, Roman > -----Original Message----- > From: Roman Danyliw > Sent: Wednesday, October 28, 2020 5:30 PM > To: ietf@xxxxxxxx > Subject: RE: Call for Community Feedback: Guidance on Reporting Protocol > Vulnerabilities > > Hi! > > To make it easier to provide updates, the originally referenced PDF has been > converted to markdown and added to github: > > https://github.com/ietf/vul-reporting-guidance > > Feedback on the text submitted to date with replies to this thread is tracked via > issues here: > > https://github.com/ietf/vul-reporting-guidance/issues > > Regards, > Roman > > > -----Original Message----- > > From: ietf <ietf-bounces@xxxxxxxx> On Behalf Of Roman Danyliw > > Sent: Friday, October 23, 2020 2:46 PM > > To: ietf@xxxxxxxx > > Subject: Call for Community Feedback: Guidance on Reporting Protocol > > Vulnerabilities > > > > Hi! > > > > The Internet Engineering Steering Group (IESG) is seeking community > > input on reporting protocol vulnerabilities to the IETF. > > Specifically, the IESG is proposing guidance to be added to the > > website at [1] to raise awareness on how the IETF handles this > > information in the standards process. The full text (which would be > converted to a web page) is at: > > > > https://www.ietf.org/media/documents/Guidance_on_Reporting_Vulnerabili > > tie > > s_to_the_IETF_sqEX1Ly.pdf > > > > This text is intended to be written in an accessible style to help > > vulnerability researchers, who may not be familiar with the IETF, > > navigate existing processes to disclose and remediate these > > vulnerabilities. With the exception of creating a last resort > > reporting email alias (protocol-vulnerability@xxxxxxxx), this text is > > describing current practices in the IETF, albeit ones that may not be > consistently applied. > > > > This guidance will serve as a complement to the recently written IETF > > LLC infrastructure and protocol vulnerability disclosure statement [2]. > > > > The IESG appreciates any input from the community on the proposed text > > and will consider all input received by November 7, 2020. > > > > Regards, > > Roman > > (for the IESG) > > > > [1] This guidance text would be added to a new URL at > > https://www.ietf.org/standards/rfcs/vulnerabilities, and then > > referenced from www.ietf.org/contact, > > https://www.ietf.org/standards/process/, > > https://www.ietf.org/standards/rfcs/, and > > https://www.ietf.org/topics/security/ > > > > [2] https://www.ietf.org/about/administration/policies- > > procedures/vulnerability-disclosure > >
