THIS CONSULTATION HAS NOW CLOSED
The IETF Administration LLC sought feedback on a DRAFT Infrastructure and Services Vulnerability Disclosure Statement [1], which it proposed to adopt and publish on the IETF website.
A vulnerability disclosure statement sets out how anyone discovering a vulnerability with the IETF infrastructure or services can report this vulnerability without fear of legal action and how they can expect it to be handled. The intent of such a statement is to ensure that such vulnerabilities are responsibly disclosed to the IETF LLC and the IETF LLC can ensure that any necessary action is taken, before the vulnerability is widely disclosed. This statement is limited to the IETF infrastructure and services as those are the responsibility of the IETF LLC and does not cover protocol vulnerabilities, which are the responsibility of the IESG.
The text of the draft statement follows best practice for such statements and for those familiar with this practice, will seem similar to the text used by many other organisations [2] [3].
The IETF LLC was interested in the views of the community, particularly from those familiar with this practice, on the following:
- General views on the vulnerability statement.
- The proposed mechanism for reporting a vulnerability.
- Whether or not this statement should be supplemented with a "bug bounty" program.
- What the email address should be for reports to be sent to.
The consultation on this Draft Strategic Plan 2020 ran from Tuesday 4 August to Monday 17 August 2020. The feedback provided was tracked as issues in this repository and the draft updated in a separate branch with proposed changes to address that feedback. At the conclusion of the consultation the branch was merged to provide the final text.
[1] https://github.com/ietf-llc/infrastructure-and-services-vulnerability-disclosure-statement/blob/master/DRAFT%20Infrastructure%20and%20Services%20Vulnerability.md
[2] https://support.apple.com/en-us/HT201220
[3] https://www.microsoft.com/en-us/msrc/faqs-report-an-issue