Security Policy

Waldo Bastian kde-policies@mail.kde.org
Mon, 10 Mar 2003 22:19:56 +0100 

On Monday 10 March 2003 03:27, Neil Stevens wrote:
> KDE at this time appears to lack any published policy on the hiding or
> warning of problems in KDE.  I mentioned this once before on
> kde-core-devel, but now we have a list for these matters, so I bring it up
> again.
>
> I would suggest that KDE developers describe for users precisely what will
> be donee with information related to KDE bugs, and when and if users will
> be warned of risks to their systems.
>
> Just to get things started, I make this description of what my policy is:
> I will not, under any circumstances, withold from users any information
> related to a threat, real or potential, to their privacy, security, or
> system reliability.  This goes not just for any problems with software I
> maintain, but for any other software problems I become aware of.

I broadly agree with that but with two nuances:
* I think it is important to alert users to a threat and to provide them with 
information on how to eliminate that threat, but I don't think that 
publishing detailed exploit information is in the interest of the user.
* I think it's justified to delay the publishing of information when there is 
actively being worked on either a) a better impact analysis or b) a fix for 
the problem. Once you disclose the threat there will be increased attention 
for that vulnerability so it's very important to provide correct information 
and credible solutions to eliminate that threat at the time of disclosure. I 
also think that it is counter-productive to have multiple publications in 
short succession on a single issue since I think that that blurs the 
attention of the users that you try to reach. I think perhaps the most 
critical element of a security update is the user having actually applying 
the update. For that, effective and efficient communication with the user is 
vital IMO. So I think that the goal should be to get it right and complete 
the first time.

This isn't black and white though, you will have to take into account the 
circumstances, the threat level, whether the threat is real or potential in 
nature, potential impact...

Cheers,
Waldo
-- 
bastian@kde.org -=|[ SuSE, The Linux Desktop Experts ]|=- bastian@suse.com