[openssl-project] Simplifying the security policy

[Paul Dale]

Looks good here.

Might "hard to exploit timing (side channel) attacks" be better as "hard to exploit side channel attacks"?  I.e. remove the "timing".
Also "those that produce a a general purpose" could do with one less "a".


Pauli
-- 
Oracle
Dr Paul Dale | Cryptographer | Network Security & Encryption 
Phone +61 7 3031 7217
Oracle Australia

-----Original Message-----
From: Mark J Cox [mailto:mark at awe.com] 
Sent: Tuesday, 16 January 2018 1:07 AM
To: openssl-project at openssl.org
Subject: [openssl-project] Simplifying the security policy

At our face to face we took a look at the security policy and noticed that it contained a lot of background details of why we decided on the policy that we did (in light mostly of the issues back in 2014) as well as a bit of repeated and redundant information.  I've taken some time to simplify it, clean it up, and remove the redundant sections
with the intention of not changing any of the actual policy.   See
attached draft, which I'll run a vote on if there are no silly mistakes or problems.

https://www.openssl.org/policies/secpolicy.html

Detailed changes:
- removed introductory wordy paragraphs
- how to report issues is already covered on another page so just replace with link
- consolidate who we tell about issues into new 'triage' section (it was in 3 different places) explain why we work with those folks
- take out most of the background section.  Where the background forms part of our reasons for doing something include them in a new section 'principles' at the end with the same wording.
-- removed "the more people you tell" leak statement
-- consolidated how we benefit from prenotifying people into earlier section
-- removed competitive phrases
-- removed why we don't run our own prenotification list and who we've tired to use in the past
- no changes to severity wording
- simplify prenotification section wording without changing what we do or who we tell

Mark