[License-discuss] Coordinated release of security vulnerability information.

VanL van.lindberg at gmail.com
Thu Aug 22 14:45:54 UTC 2019


Hello all,

The following caught my eye:

On Wed, Aug 21, 2019, 5:09 PM Thorsten Glaser <tg at mirbsd.de> wrote:

>
> Incidentally works covered by the AGPL are being removed from a
> lot of institutions now due to the inability to deploy embargoed
> security fixes. This isn’t just a licence issue, but the ability
> to operate securely is clearly also relevant. (This was also ob‐
> served near Debian.)
>


This is a perspective that I had not considered relative to the CAL.

What would everyone here think of the following exception to the CAL's
requirement to provide source code:

4.1.3. Coordinated Disclosure of Security Vulnerabilities

You may delay providing the Source Code corresponding to a particular
modification to the Work for up to ninety (90) days (the “Embargo Period”)
if: a) the modification is intended to address a newly-identified
vulnerability or a security flaw in the Work, b) disclosure of the
vulnerability or security flaw before the end of the Embargo Period would
put the data, identity, or autonomy of one or more Recipients of the Work
at significant risk, c) You are participating in a coordinated disclosure
of the vulnerability or security flaw with one or more additional
Licensees, and d) the Source Code pertaining to the modification is
provided to all Recipients at the end of the Embargo Period.


Good policy? OSD compliant? I think so, but would like to hear other's
thoughts.

Thanks,
Van
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opensource.org/pipermail/license-discuss_lists.opensource.org/attachments/20190822/59e3a705/attachment.html>


More information about the License-discuss mailing list