The TAG and the Security Disclosures BP doc from Hadley Beeman on 2017-04-27 (www-tag@w3.org from April 2017)

From: Hadley Beeman <hadley@linkedgov.org>
Date: Thu, 27 Apr 2017 08:06:22 +0100
To: Philippe Le Hégaret <plh@w3.org>
Cc: www-tag <www-tag@w3.org>
Message-ID: <CAKK2BTtiqmV2WCPmns1OTKugd42aknmRVjukHsDde266EiROjA@mail.gmail.com>

Hello PLH,

In our TAG face-to-face, we've just discussed the Security Disclosures
doc.  As you've probably seen from the issues threads in GitHub[1,2], we
left the following comments:

We also appreciate the initial work on the W3C Security Disclosure Best
Practices and find that they do contribute to fostering a web ecosystem
that benefits from continual testing. We are pleased to see progress
against the situation outlined in our 2015 resolution, Assuring a Strong
and Secure Web Platform.

However, we find that this document covers just the use case of inadvertent
security vulnerabilities in a web technology. We note that some of the
concerns raised during the development of EME centre around the possibility
of deliberately unethical or malicious implementations of EME — for example
an implementation that might use EME APIs to exfiltrate sensitive data from
a user’s operating system. These Best Practices are unlikely to help a
security researcher in such a situation. The Best Practices appear to be
supporting vulnerabilities that both researchers and the specific
implementor would agree need attention; our additional concern is for
potential exploits that might not meet this use case.

We want to make clear that, while this effort is a useful contribution to
the problem we outlined in our resolution, it is not sufficient to
adequately protect security researchers who are helping us build a stronger
web. We encourage continued development of these best practices, and want
to further encourage W3C policy to continue to find new ways to assure that
broad testing and security audit is able to grow on a scale in line with
the development in the web.



I'm not sure about the status of the BP document.  Will work on it
continue?  Is that feedback useful, or can I do anything to make it more
useful? We do want to support the effort.

Cheers,

   Hadley



[1] https://github.com/w3c/security-disclosure/issues/4
[2] https://github.com/w3c/encrypted-media/issues/389#issuecomment-294899194

Received on Thursday, 27 April 2017 07:06:56 UTC