| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: coley at linus.mitre.org (Steven M. Christey) Subject: Re: it\'s all about timing "Robert A. Seace" <ras@...rtibartfast.magrathea.com> said: >> 3.3.1 Vendor Responsibilities >> >> 7) The Vendor SHOULD recognize that inexperienced or malicious >> reporters may not use proper notification, and define its own >> procedures for handling such cases. > > Why must they automatically be labelled either "inexperienced" >or "malicious", if they don't choose to follow the chosen guidelines?? >Suppose they simply disagree with those guidelines? They may feel >it's not THEIR job to spend a large portion of their time trying to >educate the vendor about their own broken software... > >... if you're still modifying this "policy", I would really >suggest changing that language... Just drop the whole labelling >of such people, and simply say something like, "Some reporters >may not follow these guidelines for notification."... Good point, duly noted. Many of the items in the draft try to give a rationale for why the item is there. In this case, the rationale is mixed with the recommendation, and as you point out, it's incomplete anyway. There are a number of reasons why someone may not use "proper" notification. Thanks, - Steve
Powered by blists - more mailing lists