SECURITY.md currently says:
A disclosure date is negotiated by the security team working with the
bug submitter as well as vendors. However, the Open vSwitch security
team holds the final say when setting a disclosure date. The timeframe
for disclosure is from immediate (esp. if it's already publicly known)
to a few weeks. As a basic default policy, we expect report date to
disclosure date to be 3~5 business days.
When we recently put an actual vulnerability through this process, we
discovered that this is far too short. At VMware, for example, it takes
about 10 business days to put an NSX release through all of the internal
processes needed to make it available to customers. A lot of that is
QA, but even if that were to be skipped (which would be difficult), 5
days is terribly short.
I realize that VMware is not at the forefront of efficiency here, but I
think that other downstream users of Open vSwitch are likely to have
enterprise-y schedules as well. Probably, we are not yet aware of most
of these, but my guess is that since Open vSwitch is gaining a higher
profile we will start to see vulnerability reports regularly and other
enterprise software companies will start to sign up as downstreams.
I suggest that we increase our policy from 3-5 business days to 10-15.
Your thoughts?
Thanks,
Ben.
_______________________________________________
discuss mailing list
discuss@openvswitch.org
http://openvswitch.org/mailman/listinfo/discuss
