[License-discuss] Coordinated release of security vulnerability information.

Florian Weimer fw at deneb.enyo.de
Tue Sep 24 10:15:29 UTC 2019


* VanL:

> What would everyone here think of the following exception to the CAL's
> requirement to provide source code:
>
> 4.1.3. Coordinated Disclosure of Security Vulnerabilities
>
> You may delay providing the Source Code corresponding to a particular
> modification to the Work for up to ninety (90) days (the “Embargo Period”)
> if: a) the modification is intended to address a newly-identified
> vulnerability or a security flaw in the Work, b) disclosure of the
> vulnerability or security flaw before the end of the Embargo Period would
> put the data, identity, or autonomy of one or more Recipients of the Work
> at significant risk, c) You are participating in a coordinated disclosure
> of the vulnerability or security flaw with one or more additional
> Licensees, and d) the Source Code pertaining to the modification is
> provided to all Recipients at the end of the Embargo Period.
>
>
> Good policy? OSD compliant? I think so, but would like to hear other's
> thoughts.

If you have binaries with and without the fix, it is usually not to
difficult to figure out what the bug (and perhaps the fix) is.  It
gets more difficult if the security fix is bundled with unrelated
changes, but the proposed text does not permit withholding source for
*them*, so I'm not sure if that is a possibility here.

Furthermore, embargoes are generally a waste of time.  I don't think
it's a good idea to encode such bad practices in software licenses.



More information about the License-discuss mailing list