W3C home > Mailing lists > Public > public-security-disclosure@w3.org > February 2017

Re: Draft of security disclosure best practices

From: Philippe Le Hégaret <plh@w3.org>
Date: Tue, 28 Feb 2017 16:17:31 -0500
To: Rich Kulawiec <rsk@gsp.org>
Cc: public-security-disclosure@w3.org
Message-ID: <7307562f-72b5-86b9-8718-ff9ef0f130d3@w3.org>

On 2/28/2017 1:58 PM, Rich Kulawiec wrote:
> Conclusions:
> The best disclosure is full disclosure.  Assume that worthy adversaries
> already know all the details (or will know VERY soon) and that those
> with sufficient resources and motivation have already acted (or will
> act VERY soon).  This accurately reflects contemporary reality.

I don't think the draft is disagreeing with this statement. It proposes 
a time period "(usually not to exceed 90 days)" before full disclosure 
can be published, attempting to find a balance between existing 
regulations and researchers needs.

> The best move for the W3C, the thing that best serves the needs of
> the billions of Internet users out there, is to drop this proposal:
> "responsible disclosure" isn't responsible.

It is actually meant as a coordinated disclosure template. It doesn't 
use the term "responsible disclosure" and doesn't attempt to push to 
shift responsibilities around.

Received on Tuesday, 28 February 2017 21:17:41 UTC

This archive was generated by hypermail 2.4.0 : Saturday, 12 March 2022 22:15:56 UTC