[annodex-dev] Fwd: [oCERT-info#1] disclosure policy update

Conrad Parker conrad at metadecks.org
Tue Jun 17 14:02:22 PDT 2008 

---------- Forwarded message ----------
From: Andrea Barisani <lcars at ocert.org>
Date: 2008/6/18
Subject: [oCERT-info#1] disclosure policy update
To: security at annodex.net



Dear oCERT Member,

first of all I'd like to thank your organization/project for being part of
oCERT. Recent press coverage about our effort showed overwhelming support for
the idea, which was perceived as a refreshing and necessary effort for the
Open Source world.

We hope we'll be able to live up the expectations :).

Also I would like to remind you that oCERT is here to help for handling and
coordinating security advisories/incidents that might affect you, investigate
possible security bugs, aiding in analyzing and handling possible compromises
of your server infrastructure and much more.

Our page at http://ocert.org/membership.html gives a nice summary of what we
can provide.

Finally our main reason for contacting you (as we wouldn't use this address
for communicating just news but only when necessary for important issues) is
our desire to update our disclosure policy. Being a member that accepted
our original policy we are required to notify you regarding any change in our
policy.

We are giving 7 days to all Members for possible complaints about this new
text, please contact us if you object to any part of it. We would be happy to
discuss it. If no complaints are received we'll update the policy.

You can read the current policy at http://ocert.org/disclosure_policy.html,
the main change is refining how we work out embargo proposals. We hope that
this new text better represents the desire for efficiency and proper
embargoes.

Thanks!

The draft follows:

* All membership requirements and responsibilities will be publicly
 known, details can be found in the membership page

* Distribution is determined in two ways, registered vendors/maintainers
 and extracted Open Source project contacts from authoritative
 resources like code.google.com/sourceforge/rubyforge/etc where
 applicable

* oCERT agrees to keep things moving efficiently, acknowledging that
 long or moved embargo dates can have significant impact on vendors,
 users and open disclosure and will be avoided where possible

* All bug/incident timeline and discussion summary will be made public
 after an embargo date. The embargo is optional and will be applied
 only when considered necessary for appropriate coordination, reports
 will be released as early as possible and in any case embargo must not
 be longer than 1 month

* The following time frames regulate oCERT embargo proposals:

 - 7 days, in case the issue is already well narrowed down and tested,
 requiring trivial configuration and/or code change

 - 14 days, standard embargo for most cases

 - 30 days, in case of critical and complex vulnerabilities (example,
 trivial exploitation of administrative privileges on a static library
 affecting a large number of packages), and with the agreement of all
 parties

 - under extremely exceptional circumstances, if the oCERT Team and all
 the parties involved feel the need for longer time, a 2 months embargo
 can be applied, in this case we would clearly document the decision
 for public review

 - in any circumstance reporter preference will always be honoured in
 case a joint agreement is not reached, as oCERT would be anyway unable
 to force its embargo

--
Andrea Barisani |                Founder & Project Coordinator
         oCERT | Open Source Computer Emergency Response Team

<lcars at ocert.org>                         http://www.ocert.org
 0x864C9B9E 0A76 074A 02CD E989 CE7F AC3F DA47 578E 864C 9B9E
       "Pluralitas non est ponenda sine necessitate"

More information about the annodex-dev mailing list