- From: innotommy via GitHub <noreply@w3.org>
- Date: Tue, 28 Oct 2025 15:06:52 +0000
- To: public-security@w3.org
Hi Jeffrey, Thank you for raising these important concerns. I acknowledge that we are behind on our group deliverables, and we are making every effort to meet our commitments. However, I'd like to explain why I believe adopting the W3C Standards Vulnerability Disclosure & Handling Process and Policy is essential at this time: 1.Foundational Nature: This document establishes the fundamental framework for how security vulnerabilities in W3C standards are disclosed and handled. It's not additional work competing with our threat modeling deliverables, but rather foundational infrastructure that supports all security-related work. 2. Community Enablement: By adopting this policy, we create a clear path for external contributors to report security issues in W3C standards. This directly supports our mission of delivering secure standards and ensuring the community can meaningfully contribute to security improvements. 3.Complementary to Current Work: Rather than distracting from our threat modeling deliverables (TMG and TMW), this policy actually provides the procedural framework that makes our threat modeling work more actionable. Regarding scope: The document specifically covers vulnerability disclosure and handling processes for W3C specifications. I'm happy to work with the group to clearly define the boundaries and deliverables before we proceed. For these reasons, I express my approval for adopting this document as a work item. -- GitHub Notification of comment by innotommy Please view or discuss this issue at https://github.com/w3c/securityig/issues/13#issuecomment-3456966956 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Tuesday, 28 October 2025 15:06:53 UTC