[License-discuss] Coordinated release of security vulnerability information.

VanL van.lindberg at gmail.com
Thu Aug 22 17:17:54 UTC 2019


On Thu, Aug 22, 2019 at 11:35 AM Thorsten Glaser <tg at mirbsd.de> wrote:

>
> It might address the topic, but I have a really hard time wrapping
> my head around all the restrictions and terms used.
>

You mention that it must be necessary for people to get the patch. That is
this part:

> You may delay providing the Source Code corresponding to a particular
modification to the Work for up to ninety (90) days (the “Embargo Period”)
if...

This is permissive. It does not *prevent* people from sharing the patch, it
just adjusts the timing. So there would be no problem with providing the
patch to a user, nor that user putting the patch into production during the
embargo period.

Now, most of the language is about avoiding gaming of the provision:

> a) the modification is intended to address a newly-identified
vulnerability or a security flaw in the Work,

This must be a *new* security issue. You can't withhold non-sensitive
patches, and you can't withhold patches for old issues.

> b) disclosure of the vulnerability or security flaw before the end of the
Embargo Period would put the data, identity, or autonomy of one or more
Recipients of the Work at significant risk,

The security issue must be significant enough to put people at risk. Not
every patch, nor even every vulnerability, would suffice.

> c) You are participating in a coordinated disclosure of the vulnerability
or security flaw with one or more additional Licensees, and

The focus of this is allowing coordination of operator-users. It doesn't
allow unilateral withholding of the source by a single operator-user. If
there is only one operator user, they can just roll out the fix! No need to
coordinate.

> d) the Source Code pertaining to the modification is provided to all
Recipients at the end of the Embargo Period.

This doesn't change the requirement to provide source code, it just
temporarily modifies the timing.

Thanks,
Van
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opensource.org/pipermail/license-discuss_lists.opensource.org/attachments/20190822/7a7821f4/attachment.html>


More information about the License-discuss mailing list