Buy commercial curl support from WolfSSL. We help you work
out your issues, debug your libcurl applications, use the API, port to new
platforms, add new features and more. With a team lead by the curl founder
himself.
Re: Proposed SECURITY-PROCESS updates
- Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]
From: Daniel Gustafsson via curl-library <curl-library_at_lists.haxx.se>
Date: Thu, 9 Mar 2023 13:59:46 +0100
> On 9 Mar 2023, at 13:45, Daniel Stenberg via curl-library <curl-library_at_lists.haxx.se> wrote:
> I think we should allow or even demands that Low+Medium issues get managed through plain PRs. But without
> highlighting or mentioning the security vulnerability risk.
This opens us up to the risk that we've misjudged the severity, and we publish
what we think is Low but in reality should've been High (or higher). Ideally
this shouldn't happen, and thus the risk is low, but known risks are better
than unknown. If we are on the fence regarding severity it should be fine to
keep it hidden as per the process for High.
There is also the case when information in a report is provided to us under an
embargo, the date of which must take precedence.
So, I dont mind allowing it, but I don't want to demand it for the reasons
stated above (and your PR doesn't demand it either).
Date: Thu, 9 Mar 2023 13:59:46 +0100
> On 9 Mar 2023, at 13:45, Daniel Stenberg via curl-library <curl-library_at_lists.haxx.se> wrote:
> I think we should allow or even demands that Low+Medium issues get managed through plain PRs. But without
> highlighting or mentioning the security vulnerability risk.
This opens us up to the risk that we've misjudged the severity, and we publish
what we think is Low but in reality should've been High (or higher). Ideally
this shouldn't happen, and thus the risk is low, but known risks are better
than unknown. If we are on the fence regarding severity it should be fine to
keep it hidden as per the process for High.
There is also the case when information in a report is provided to us under an
embargo, the date of which must take precedence.
So, I dont mind allowing it, but I don't want to demand it for the reasons
stated above (and your PR doesn't demand it either).
-- Daniel Gustafsson -- Unsubscribe: https://lists.haxx.se/mailman/listinfo/curl-library Etiquette: https://curl.se/mail/etiquette.htmlReceived on 2023-03-09