curl / Mailing Lists / curl-library / Single Mail
Buy commercial curl support from WolfSSL. We help you work out your issues, debug your libcurl applications, use the API, port to new platforms, add new features and more. With a team lead by the curl founder himself.

Re: Proposed SECURITY-PROCESS updates

From: Daniel Stenberg via curl-library <curl-library_at_lists.haxx.se>
Date: Thu, 9 Mar 2023 18:18:38 +0100 (CET)

On Thu, 9 Mar 2023, Daniel Gustafsson wrote:

> This opens us up to the risk that we've misjudged the severity, and we
> publish what we think is Low but in reality should've been High (or higher).
> Ideally this shouldn't happen, and thus the risk is low, but known risks are
> better than unknown. If we are on the fence regarding severity it should be
> fine to keep it hidden as per the process for High.

Ah yes, good point. We should be fairly sure of the severity level before we
make a (public) PR to fix any security flaw.

Do you think it is worth adding words about that in the SECURITY-PROCESS
document?

-- 
  / daniel.haxx.se
  | Commercial curl support up to 24x7 is available!
  | Private help, bug fixes, support, ports, new features
  | https://curl.se/support.html
-- 
Unsubscribe: https://lists.haxx.se/mailman/listinfo/curl-library
Etiquette:   https://curl.se/mail/etiquette.html
Received on 2023-03-09