[openssl-project] Simplifying the security policy

Mark J Cox mark at awe.com
Tue Jan 23 14:46:05 UTC 2018

Hi, this passed an OMC vote and has been updated.  Thanks!

On Mon, Jan 15, 2018 at 3:07 PM, Mark J Cox <mark at awe.com> wrote:
> At our face to face we took a look at the security policy and noticed
> that it contained a lot of background details of why we decided on the
> policy that we did (in light mostly of the issues back in 2014) as
> well as a bit of repeated and redundant information.  I've taken some
> time to simplify it, clean it up, and remove the redundant sections
> with the intention of not changing any of the actual policy.   See
> attached draft, which I'll run a vote on if there are no silly
> mistakes or problems.
> https://www.openssl.org/policies/secpolicy.html
> Detailed changes:
> - removed introductory wordy paragraphs
> - how to report issues is already covered on another page so just
> replace with link
> - consolidate who we tell about issues into new 'triage' section (it
> was in 3 different places) explain why we work with those folks
> - take out most of the background section.  Where the background forms
> part of our reasons for doing something include them in a new section
> 'principles' at the end with the same wording.
> -- removed "the more people you tell" leak statement
> -- consolidated how we benefit from prenotifying people into earlier section
> -- removed competitive phrases
> -- removed why we don't run our own prenotification list and who we've
> tired to use in the past
> - no changes to severity wording
> - simplify prenotification section wording without changing what we do
> or who we tell
> Mark

More information about the openssl-project mailing list