--
You received this message because you are subscribed to the Google Groups "dev-secur...@mozilla.org" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dev-security-po...@mozilla.org.
To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtabWhCfgKCOiH75pgtw1AQcNaKWjq%3Dq832p-pQbp5KrfyQ%40mail.gmail.com.
Dear Wayne,
Your suggestion is almost exactly what was discussed in the Swiss parliament a few weeks ago. There was a discussion if operators of Swiss Critical Infrastructure should be required by law to report -exploitable vulnerabilities- (in that discussion even zero day vulnerabilities that the operator became aware of were included) within a short time after discovery to our national cyber security agency. In the end parliament decided to NOT go that way because the danger of disclosing such high risk information would increase the danger of malicious actors being able to exploit it would outweigh the benefit of disclosure.
If we definitely want -vulnerabilities- to be disclosed, then I would strongly suggest to allow disclosure -after- the vulnerability has been fixed.
Kind regards
Roman
To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CAPh8bk8r%2BV6CttugBhoe79k9XxvuKAXA7PDZD7avNCxthrcuCQ%40mail.gmail.com.
To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/ZRAP278MB0562B0255A2EE1E451997078FAC0A%40ZRAP278MB0562.CHEP278.PROD.OUTLOOK.COM.
Dear Ben,
Thanks for the effort you put into this and especially to align the markdown template to the regular incident reporting template as much as possible.
Regarding the “Contact Information”: What is Mozilla’s expectation here? An e-mail address (personal or group mailbox), phone number (plus timezone so that people aren’t called in the middle of “their” night)? Or… ?
As for the other details in such a report: They look plausible and I guess they are the result of previous incidents and details that were missing in the initial communication.
Kind regards
Roman
From: dev-secur...@mozilla.org <dev-secur...@mozilla.org>
On Behalf Of Ben Wilson
Sent: Mittwoch, 22. November 2023 20:35
To: dev-secur...@mozilla.org <dev-secur...@mozilla.org>
Subject: Re: Improvements to Vulnerability Disclosure wiki page
All,
--
You received this message because you are subscribed to the Google Groups "dev-secur...@mozilla.org" group.
To unsubscribe from this group and stop receiving emails from it, send an email to
dev-security-po...@mozilla.org.
To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtabbqDu6N7yPnU9uL0RZQXPiMquHh-1FxTmPbQSeOj8T5w%40mail.gmail.com.