At our face to face we took a look at the security policy and noticed that it contained a lot of background details of why we decided on the policy that we did (in light mostly of the issues back in 2014) as well as a bit of repeated and redundant information. We've taken some time to simplify it, clean it up, and remove the redundant sections with the intention of not changing any of the actual policy. This passed an OMC vote and is now updated here: https://www.openssl.org/policies/secpolicy.html Also as a reminder, last week we also explained a slight increase in the pre-disclosure time: https://www.openssl.org/blog/blog/2018/01/18/f2f-london/ Detailed changes: - removed introductory wordy paragraphs - how to report issues is already covered on another page so just replace with link - consolidate who we tell about issues into new 'triage' section (it was in 3 different places) explain why we work with those folks - take out most of the background section. Where the background forms part of our reasons for doing something include them in a new section 'principles' at the end with the same wording. -- removed "the more people you tell" leak statement -- consolidated how we benefit from prenotifying people into earlier section -- removed competitive phrases -- removed why we don't run our own prenotification list and who we've tired to use in the past - no changes to severity wording - simplify prenotification section wording without changing what we do or who we tell Mark -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
