[openssl-project] Simplifying the security policy

Mark J Cox mark at awe.com
Mon Jan 15 15:07:00 UTC 2018


At our face to face we took a look at the security policy and noticed
that it contained a lot of background details of why we decided on the
policy that we did (in light mostly of the issues back in 2014) as
well as a bit of repeated and redundant information.  I've taken some
time to simplify it, clean it up, and remove the redundant sections
with the intention of not changing any of the actual policy.   See
attached draft, which I'll run a vote on if there are no silly
mistakes or problems.

https://www.openssl.org/policies/secpolicy.html

Detailed changes:
- removed introductory wordy paragraphs
- how to report issues is already covered on another page so just
replace with link
- consolidate who we tell about issues into new 'triage' section (it
was in 3 different places) explain why we work with those folks
- take out most of the background section.  Where the background forms
part of our reasons for doing something include them in a new section
'principles' at the end with the same wording.
-- removed "the more people you tell" leak statement
-- consolidated how we benefit from prenotifying people into earlier section
-- removed competitive phrases
-- removed why we don't run our own prenotification list and who we've
tired to use in the past
- no changes to severity wording
- simplify prenotification section wording without changing what we do
or who we tell

Mark
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-project/attachments/20180115/ba57dd9e/attachment.html>


More information about the openssl-project mailing list