- From: Simone Onofri <simone@w3.org>
- Date: Tue, 20 Jan 2026 23:07:21 +0100
- To: public-security@w3.org
Dear Group, This is a Call for Consensus (CfC) for the Group publishing the “W3C Standards Vulnerability Disclosure & Handling Process and Policy” and for enabling autopublish. [[ This document defines how to report suspected security vulnerabilities in W3C standards and specifications(technical reports), so that issues can be triaged, confirmed, and resolved through the appropriate W3C processes. It is not for reporting vulnerabilities in software implementations or W3C operational infrastructure (see Out of scope). ]] During the 2026-01-20 meeting, the participants had already agreed. To ensure everyone has an opportunity to weigh in, this will serve as a record of the group's decision, one way or another. The deliverable is available for inspection here: https://w3c.github.io/security-disclosure/ In response, please state one of the following: * I support the publishing of the "W3C Standards Vulnerability Disclosure & Handling Process". * I do not support the publishing of the "W3C Standards Vulnerability Disclosure & Handling Process", but it's fine if we decide to proceed * I object to the adoption of the “W3C Standards Vulnerability Disclosure & Handling Process" due to Issues filed in the open issue <#number> of the securityig repository If there are no further objections, we will confirm the decision by 2026-01-27, at midnight Pacific time. Just so you know, if the deliverable is published, it will be marked as a First Group Note Draft, which does not imply W3C endorsement. Thank you, Simone
Received on Tuesday, 20 January 2026 22:07:54 UTC