[License-discuss] Coordinated release of security vulnerability information.

VanL van.lindberg at gmail.com
Thu Aug 22 20:28:27 UTC 2019


Hi Lukas,

Thanks for your reply. Based on your response, as well as the other
responses here, it seems like the structure of this clause is
non-problematic.

However:

On Thu, Aug 22, 2019 at 3:14 PM Lukas Atkinson <opensource at lukasatkinson.de>
wrote:

> However, that 90 day window is awfully long... In the context of a source
> distribution requirement, a full 90 day embargo is unnecessarily long. At
> that point where a fix is first deployed by an operator, the issue has
> already been fixed and only distribution of patches to all operators
> remains to be done. It is in the interest of all users that this happens as
> expediently as possible. The only advantage that a long source embargo
> period would have is that an insider operator could deploy mitigations
> before a proper patch is available, but this still leaves the wider
> community vulnerable.
>

I see this point. Having been inside a SaaS vendor, though, I am sometimes
astounded that anything gets done at all. My thinking is that conforming
with "standard" timeframes is most likely to encourage proper behavior by
vendor/operators, even if it would not be ideal in isolation - thus
increasing welfare on average.

We could also do something like 60 days, which is shortened, but still long
enough to allow for slow corporate processes.

Thoughts on this response? Also, any thoughts from others?

Thanks,
Van
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opensource.org/pipermail/license-discuss_lists.opensource.org/attachments/20190822/007d7a5d/attachment.html>


More information about the License-discuss mailing list