[openssl-users] Fwd: Simplifying the security policy
Mark J Cox
mark at openssl.org
Tue Jan 23 14:45:32 UTC 2018
At our face to face we took a look at the security policy and noticed
that it contained a lot of background details of why we decided on the
policy that we did (in light mostly of the issues back in 2014) as
well as a bit of repeated and redundant information. We've taken some
time to simplify it, clean it up, and remove the redundant sections
with the intention of not changing any of the actual policy. This passed
an OMC vote and is now updated here:
https://www.openssl.org/policies/secpolicy.html
Also as a reminder, last week we also explained a slight increase in the
pre-disclosure time: https://www.openssl.org/blog/blog/2018/01/18/f2f-london/
Detailed changes:
- removed introductory wordy paragraphs
- how to report issues is already covered on another page so just
replace with link
- consolidate who we tell about issues into new 'triage' section (it
was in 3 different places) explain why we work with those folks
- take out most of the background section. Where the background forms
part of our reasons for doing something include them in a new section
'principles' at the end with the same wording.
-- removed "the more people you tell" leak statement
-- consolidated how we benefit from prenotifying people into earlier section
-- removed competitive phrases
-- removed why we don't run our own prenotification list and who we've
tired to use in the past
- no changes to severity wording
- simplify prenotification section wording without changing what we do
or who we tell
Mark
More information about the openssl-users
mailing list