[ovs-discuss] increasing the "default" embargo period for vulnerabilities
Flavio Leitner
fbl at sysclose.org
Wed Mar 30 21:11:33 UTC 2016
On Wed, Mar 30, 2016 at 10:22:13AM -0700, Ben Pfaff wrote:
> SECURITY.md currently says:
>
> A disclosure date is negotiated by the security team working with the
> bug submitter as well as vendors. However, the Open vSwitch security
> team holds the final say when setting a disclosure date. The timeframe
> for disclosure is from immediate (esp. if it's already publicly known)
> to a few weeks. As a basic default policy, we expect report date to
> disclosure date to be 3~5 business days.
>
> When we recently put an actual vulnerability through this process, we
> discovered that this is far too short. At VMware, for example, it takes
> about 10 business days to put an NSX release through all of the internal
> processes needed to make it available to customers. A lot of that is
> QA, but even if that were to be skipped (which would be difficult), 5
> days is terribly short.
>
> I realize that VMware is not at the forefront of efficiency here, but I
> think that other downstream users of Open vSwitch are likely to have
> enterprise-y schedules as well. Probably, we are not yet aware of most
> of these, but my guess is that since Open vSwitch is gaining a higher
> profile we will start to see vulnerability reports regularly and other
> enterprise software companies will start to sign up as downstreams.
>
> I suggest that we increase our policy from 3-5 business days to 10-15.
>
> Your thoughts?
Same issue here, ACK.
--
fbl
More information about the discuss
mailing list