On Friday, January 02, 2015 05:57:14 PM Ben Pfaff wrote: > On Fri, Jan 02, 2015 at 01:44:49PM -0800, Ben Pfaff wrote: > > Open vSwitch needs some kind of process for handling vulnerabilities. So > > far, we've been pretty lucky that way, but it can't last forever, and I > > think we'll be better off if we have at least the outline of an established > > process whenever a significant vulnerability comes along. Here's my draft > > of a process based on the documentation of the OpenStack process at > > https://wiki.openstack.org/wiki/Vulnerability_Management. > > > > I don't have a lot of experience with this kind of thing myself, so I'd > > appreciate critical review from anyone who does. > > > > Signed-off-by: Ben Pfaff <b...@nicira.com> > > I received the following suggestions in private email from a person who > said that I could pass them along to the list as long as I do not use > his name because he prefers "not to be associated with the security > field." Fair enough! Here they are: > > 1) Consider provisions for ensuring privacy and integrity of > communications around disclosure (eg, use PGP for all comms).
Yes, exactly what I meant in the other reply. I think it should be recommended but not required for the reporter when reporting the issue to the list. Further communications are required to ensure privacy and integrity. fbl _______________________________________________ dev mailing list dev@openvswitch.org http://openvswitch.org/mailman/listinfo/dev
