[License-discuss] Coordinated release of security vulnerability information.

Simon Phipps simon.phipps at opensource.org
Sun Aug 25 15:17:01 UTC 2019


On Thu, Aug 22, 2019 at 9:14 PM Lukas Atkinson <opensource at lukasatkinson.de>
wrote:

> However, that 90 day window is awfully long. While this is the typical
> embargo period, it intends to give the vendor enough time to verify,
> investigate, and fix the vulnerability, and to prepare the distribution of
> patches. This tries to balance the vendor's ability to fix the issue with
> the end users interest to be quickly informed about open vulnerabilities in
> the software. (My use of “vendor” rather than “community” here is
> deliberate: such an embargo mostly makes sense in the context of closed or
> at least cathedral-style development.)
>

As others have commented, it's not just vendors who may need embargo
periods. Communities who share historic code origins can have a need to
co-ordinate addressing CVEs as well, and my experience of a particular case
has shown that even 90 days can be too short when one of those communities
is failing to respect its obligations to its users.

I suggest fixing this number at some "universally accepted" value is a
potential risk. Perhaps some mechanism such as "30 days unless otherwise
declared by the copyright holder"?

S.
(in a personal capacity despite the from: address)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opensource.org/pipermail/license-discuss_lists.opensource.org/attachments/20190825/873a0fd5/attachment.html>


More information about the License-discuss mailing list