Security Policy

[Neil Stevens]

=2D----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Monday March 10, 2003 02:15, George Staikos wrote:
> On Monday 10 March 2003 16:19, Waldo Bastian wrote:
> > I broadly agree with that but with two nuances:
> > * I think it is important to alert users to a threat and to provide
> > them with information on how to eliminate that threat, but I don't
> > think that publishing detailed exploit information is in the interest
> > of the user. * I think it's justified to delay the publishing of
> > information when there is actively being worked on either a) a better
> > impact analysis or b) a fix for the problem. Once you disclose the
> > threat there will be increased attention for that vulnerability so
> > it's very important to provide correct information and credible
> > solutions to eliminate that threat at the time of disclosure. I also
> > think that it is counter-productive to have multiple publications in
> > short succession on a single issue since I think that that blurs the
> > attention of the users that you try to reach. I think perhaps the most
> > critical element of a security update is the user having actually
> > applying the update. For that, effective and efficient communication
> > with the user is vital IMO. So I think that the goal should be to get
> > it right and complete the first time.
>
>   An additional note:  In the past (up until, I guess, the mid-late
> 1990's), it was often the case that exploits were just posted to bugtraq
> and the fixes would come later.  The new accepted policy for handling
> security holes is to contact the developers in private, organise a patch
> and press release date with the affected parties, and release as quickly
> as possible,
> simultaneously.  security@ addresses are generally used as contact
> points, and considered to be private.

Well, another common practice in the computing industry is to use=20
restrictive licenses, and even to withhold source code entirely.  KDE is=20
under no obligation to follow suit.

=2D --=20
Neil Stevens - neil@qualityassistant.com
"Among the many misdeeds of the British rule in India, history will
look upon the act depriving a whole nation of arms as the blackest."
 -- Gandhi
=2D----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQE+bRFGf7mnligQOmERAvDzAJ9W+1/fg9QSKtxgBz6CWvhQrKqrKQCfXKVO
VLw1e07HMAjEYddy8BlNJbU=3D
=3D/BLv
=2D----END PGP SIGNATURE-----