* Andreas Barth: > Actually, we hide security bugs. Of course not, if they are filled > into the bts, but we hide them if they are sent to [EMAIL PROTECTED] > Please don't misunderstand me; I think the current approach is the > right one, but with literal reading SC #3 is tangled (and I know that > Florian disagrees with me here).
Just for the record, because opinions sometimes change over time: I see this particular case as a mere example where we must somehow balance one goal expressed in the SC against another, conflicting one. I think it's important to realize that the SC does not automatically offer a clear-cut answer to every complex question. Furthermore, I do no longer closely follow developments in vulnerability handling. I simply do not know if vendor-sec is playing into the hands of commercial vulnerability resellers such as CERT/CC / US-CERT / Internet Security Alliance, OIS, SecurityFocus / Symantec and so on (those companies who do have a public BTS which incurs a noticeable publication delay, to protect their business interests more than their users' interests). -- Current mail filters: many dial-up/DSL/cable modem hosts, and the following domains: bigpond.com, di-ve.com, fuorissimo.com, hotmail.com, jumpy.it, libero.it, netscape.net, postino.it, simplesnet.pt, spymac.com, tiscali.co.uk, tiscali.cz, tiscali.it, voila.fr, yahoo.com. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
