Skip to content
This repository has been archived by the owner on Feb 2, 2021. It is now read-only.
/ infrastructure-and-services-vulnerability-disclosure-statement Public archive

IETF LLC consultation on an infrastructure and services vulnerability disclosure statement

1 star 1 fork Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

ietf-llc/infrastructure-and-services-vulnerability-disclosure-statement

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

17 Commits
DRAFT Infrastructure and Services Vulnerability.md
DRAFT Infrastructure and Services Vulnerability.md
 
 
README.md
README.md
 
 

Repository files navigation

THIS CONSULTATION HAS NOW CLOSED

The IETF Administration LLC sought feedback on a DRAFT Infrastructure and Services Vulnerability Disclosure Statement [1], which it proposed to adopt and publish on the IETF website.

A vulnerability disclosure statement sets out how anyone discovering a vulnerability with the IETF infrastructure or services can report this vulnerability without fear of legal action and how they can expect it to be handled. The intent of such a statement is to ensure that such vulnerabilities are responsibly disclosed to the IETF LLC and the IETF LLC can ensure that any necessary action is taken, before the vulnerability is widely disclosed. This statement is limited to the IETF infrastructure and services as those are the responsibility of the IETF LLC and does not cover protocol vulnerabilities, which are the responsibility of the IESG.

The text of the draft statement follows best practice for such statements and for those familiar with this practice, will seem similar to the text used by many other organisations [2] [3].

The IETF LLC was interested in the views of the community, particularly from those familiar with this practice, on the following:

  • General views on the vulnerability statement.
  • The proposed mechanism for reporting a vulnerability.
  • Whether or not this statement should be supplemented with a "bug bounty" program.
  • What the email address should be for reports to be sent to.

The consultation on this Draft Strategic Plan 2020 ran from Tuesday 4 August to Monday 17 August 2020. The feedback provided was tracked as issues in this repository and the draft updated in a separate branch with proposed changes to address that feedback. At the conclusion of the consultation the branch was merged to provide the final text.

[1] https://github.com/ietf-llc/infrastructure-and-services-vulnerability-disclosure-statement/blob/master/DRAFT%20Infrastructure%20and%20Services%20Vulnerability.md
[2] https://support.apple.com/en-us/HT201220
[3] https://www.microsoft.com/en-us/msrc/faqs-report-an-issue

About

IETF LLC consultation on an infrastructure and services vulnerability disclosure statement

Resources

Readme
Activity
Custom properties

Stars

1 star

Watchers

3 watching

Forks

1 fork
Report repository

Releases

No releases published

Packages

No packages published