Buy commercial curl support from WolfSSL. We help you work
out your issues, debug your libcurl applications, use the API, port to new
platforms, add new features and more. With a team lead by the curl founder
himself.
Re: Proposed SECURITY-PROCESS updates
- Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]
From: Daniel Stenberg via curl-library <curl-library_at_lists.haxx.se>
Date: Thu, 9 Mar 2023 18:18:38 +0100 (CET)
On Thu, 9 Mar 2023, Daniel Gustafsson wrote:
> This opens us up to the risk that we've misjudged the severity, and we
> publish what we think is Low but in reality should've been High (or higher).
> Ideally this shouldn't happen, and thus the risk is low, but known risks are
> better than unknown. If we are on the fence regarding severity it should be
> fine to keep it hidden as per the process for High.
Ah yes, good point. We should be fairly sure of the severity level before we
make a (public) PR to fix any security flaw.
Do you think it is worth adding words about that in the SECURITY-PROCESS
document?
Date: Thu, 9 Mar 2023 18:18:38 +0100 (CET)
On Thu, 9 Mar 2023, Daniel Gustafsson wrote:
> This opens us up to the risk that we've misjudged the severity, and we
> publish what we think is Low but in reality should've been High (or higher).
> Ideally this shouldn't happen, and thus the risk is low, but known risks are
> better than unknown. If we are on the fence regarding severity it should be
> fine to keep it hidden as per the process for High.
Ah yes, good point. We should be fairly sure of the severity level before we
make a (public) PR to fix any security flaw.
Do you think it is worth adding words about that in the SECURITY-PROCESS
document?
-- / daniel.haxx.se | Commercial curl support up to 24x7 is available! | Private help, bug fixes, support, ports, new features | https://curl.se/support.html -- Unsubscribe: https://lists.haxx.se/mailman/listinfo/curl-library Etiquette: https://curl.se/mail/etiquette.htmlReceived on 2023-03-09