[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[libreplanet-discuss] Can you confirm these are not best practices for d

From: Zak Rogoff
Subject: [libreplanet-discuss] Can you confirm these are not best practices for disclosure?
Date: Mon, 30 Jan 2017 17:16:28 -0500
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Icedove/38.7.0

Hi LP-discuss,

The W3C, which sets Web standards, just released this

in an attempt to pacify all of us who are complaining that their plan to
make DRM part of Web standards would be bad for security researchers.
It's a draft of "best practices" for companies to follow when security
researchers disclose vulns to them.

Is anyone who's knowledgeable about disclosure policies able to take a
look at it and share your thoughts?

To me, it looks like it's not much of a protection for the researchers,
because it's totally voluntary and apparently allows companies to ignore
it if they make such arbitrary judgements as that the security
researcher didn't give them a "reasonable amount of time" between
private and public disclosure.

I think we can take Netflix's policy (linked) to be pretty
representative of the policies these guidelines will produce.

PS -- the LibrePlanet 2017 t-shirt will be launching soon :)

Zak Rogoff // Campaigns Manager
Free Software Foundation

Attachment: 0xB5090AC8.asc
Description: application/pgp-keys

Attachment: signature.asc
Description: OpenPGP digital signature

reply via email to

[Prev in Thread] Current Thread [Next in Thread]