Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SECURITY.md: context on when private disclosure is relevant for privacy/security spec issues #3

Open
npdoty opened this issue Mar 26, 2020 · 0 comments
Open

SECURITY.md: context on when private disclosure is relevant for privacy/security spec issues #3

npdoty opened this issue Mar 26, 2020 · 0 comments
Assignees
@hober

Comments

@npdoty
Copy link

npdoty commented Mar 26, 2020

It would be a radical change for every privacy and security issue in a privacy-related spec under development to be reported privately; I don't think that's what's intended here, but we should be explicit about it. Feedback and iteration would be much slower, and chairs would become a bottleneck.

Maybe instead we could give guidance on when it might be useful to provide feedback privately instead of through normal spec development (say, a vulnerability in a widely-shipped implemented feature, where you don't believe attackers are already exploiting it and where it needs to be resolved privately by implementers and spec authors in a coordinated way).

(as previously noted here: privacycg/admin#11)
@hober hober self-assigned this Apr 17, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@hober hober

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@hober @npdoty