- From: Hadley Beeman <hadley@linkedgov.org>
- Date: Thu, 27 Apr 2017 08:06:22 +0100
- To: Philippe Le Hégaret <plh@w3.org>
- Cc: www-tag <www-tag@w3.org>
- Message-ID: <CAKK2BTtiqmV2WCPmns1OTKugd42aknmRVjukHsDde266EiROjA@mail.gmail.com>
Hello PLH, In our TAG face-to-face, we've just discussed the Security Disclosures doc. As you've probably seen from the issues threads in GitHub[1,2], we left the following comments: We also appreciate the initial work on the W3C Security Disclosure Best Practices and find that they do contribute to fostering a web ecosystem that benefits from continual testing. We are pleased to see progress against the situation outlined in our 2015 resolution, Assuring a Strong and Secure Web Platform. However, we find that this document covers just the use case of inadvertent security vulnerabilities in a web technology. We note that some of the concerns raised during the development of EME centre around the possibility of deliberately unethical or malicious implementations of EME — for example an implementation that might use EME APIs to exfiltrate sensitive data from a user’s operating system. These Best Practices are unlikely to help a security researcher in such a situation. The Best Practices appear to be supporting vulnerabilities that both researchers and the specific implementor would agree need attention; our additional concern is for potential exploits that might not meet this use case. We want to make clear that, while this effort is a useful contribution to the problem we outlined in our resolution, it is not sufficient to adequately protect security researchers who are helping us build a stronger web. We encourage continued development of these best practices, and want to further encourage W3C policy to continue to find new ways to assure that broad testing and security audit is able to grow on a scale in line with the development in the web. I'm not sure about the status of the BP document. Will work on it continue? Is that feedback useful, or can I do anything to make it more useful? We do want to support the effort. Cheers, Hadley [1] https://github.com/w3c/security-disclosure/issues/4 [2] https://github.com/w3c/encrypted-media/issues/389#issuecomment-294899194
Received on Thursday, 27 April 2017 07:06:56 UTC