[License-discuss] Coordinated release of security vulnerability information.

[Lukas Atkinson]

Such a clause is a good idea for copyleft licenses. Yay for license
innovation! I don't think it interacts a lot with the OSD or a concept of
software freedom, since it at most *delays* compliance with certain license
provisions under a limited set of circumstances.

However, that 90 day window is awfully long. While this is the typical
embargo period, it intends to give the vendor enough time to verify,
investigate, and fix the vulnerability, and to prepare the distribution of
patches. This tries to balance the vendor's ability to fix the issue with
the end users interest to be quickly informed about open vulnerabilities in
the software. (My use of “vendor” rather than “community” here is
deliberate: such an embargo mostly makes sense in the context of closed or
at least cathedral-style development.)

In the context of a source distribution requirement, a full 90 day embargo
is unnecessarily long. At that point where a fix is first deployed by an
operator, the issue has already been fixed and only distribution of patches
to all operators remains to be done. It is in the interest of all users
that this happens as expediently as possible. The only advantage that a
long source embargo period would have is that an insider operator could
deploy mitigations before a proper patch is available, but this still
leaves the wider community vulnerable.

There's also a user autonomy angle to this: with such an embargo, end users
are more secure if they don't decide to operate their own software.

I therefore think shortening that window to 30 or 14 days would be more
appropriate.

On Thu, 22 Aug 2019 at 17:33, VanL <van.lindberg at gmail.com> wrote:

> 4.1.3. Coordinated Disclosure of Security Vulnerabilities
>
> You may delay providing the Source Code corresponding to a particular
> modification to the Work for up to ninety (90) days (the “Embargo Period”)
> if: a) the modification is intended to address a newly-identified
> vulnerability or a security flaw in the Work, b) disclosure of the
> vulnerability or security flaw before the end of the Embargo Period would
> put the data, identity, or autonomy of one or more Recipients of the Work
> at significant risk, c) You are participating in a coordinated disclosure
> of the vulnerability or security flaw with one or more additional
> Licensees, and d) the Source Code pertaining to the modification is
> provided to all Recipients at the end of the Embargo Period.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opensource.org/pipermail/license-discuss_lists.opensource.org/attachments/20190822/e6f8511a/attachment-0001.html>