On HME extension and vulnerability disclosure programs


This is an update on the status of the HTML Media Extensions charter
extension and the Proposed Recommendation transition request for the
Encrypted Media Extensions specification.

Further to the recent review regarding the HTML Media Extensions Working 
Group, the Director has been reviewing the expressions of support to 
continue the work as well as the objections to continuing the work in 
its present form.

While the Director recognized the technical progress and stability of
the work, the lack of consensus to protect security researchers remained 
an issue. The Director had asked the Team to find a resolution that was 
agreed to by both supporters of the charter extension and objectors. The 
team was unable to find such a resolution. The Director has concluded 
that the best practical method to improve protections at this stage is 
to overrule the objections of the charter extension, but establish 
momentum for protection by establishing best practices for responsible 
vulnerability disclosure.

In the interest of promoting vulnerability disclosure programs, W3C will 
establish a set of guidelines intended to protect security and privacy 
researchers when proper and reasonable disclosure procedures are followed.

Specifically, the W3C Team will publish on 2 March 2017 a set of
guidelines for vulnerability disclosure programs that protect security
and privacy researchers as a W3C Team submission. This will represent
our initial sense of best practice and will serve as input for further
work in this space. Prior to the publication of the team submission,
input will be welcome on public-security-disclosure@w3.org. The
Responsible Vulnerability Disclosure program [1] established by Netflix
will be used as a starting point.

Following the 2 March date, the W3C Director will send a Call for Review 
for the Encrypted Media Extensions Proposed Recommendation, soliciting 
feedback and expression of interest for the specification and the 
initial draft of W3C guidelines for security and privacy researchers 
disclosure programs.

The Working Group Charter [2] is hereby extended until 30 April 2017.

More information could be found at


[1] https://help.netflix.com/en/node/6657#gsc.tab=0
[2] http://www.w3.org/2013/09/html-charter.html

Received on Friday, 27 January 2017 23:41:28 UTC