VRP: redefine public communications platform

As we agreed to (the VRP team).
2024-09-29 03:51:08 +00:00 · 2019-03-09 00:49:20 +00:00 · 2019-03-09 00:49:20 +00:00 · a61b8818ef
commit a61b8818ef
parent bcea379ffa
1 changed files with 2 additions and 2 deletions
--- a/VULNERABILITY_RESPONSE_PROCESS.md
+++ b/VULNERABILITY_RESPONSE_PROCESS.md
@ -90,7 +90,7 @@ PGP fingerprint = 1218 6272 CD48 E253 9E2D  D29B 66A7 6ECF 9144 09F1
    - d. If there are any disputes regarding bug severity, the Monero Response team will ultimately define bug severity

 7. Respond according to the severity of the vulnerability:
-    - a. HIGH severities must be notified on website and reddit /r/Monero (/r/Kovri for kovri) within 3 working days of classification
+    - a. HIGH severities will be notified via at least one public communications platform (mailing list, reddit, website, or other) within 3 working days of patch release
      - i. The notification should list appropriate steps for users to take, if any
      - ii. The notification must not include any details that could suggest an exploitation path
      - iii. The latter takes precedence over the former
@ -130,7 +130,7 @@ PGP fingerprint = 1218 6272 CD48 E253 9E2D  D29B 66A7 6ECF 9144 09F1
      - viii. Mitigating factors (for example, the vulnerability is only exposed in uncommon, non-default configurations)
      - ix. Workarounds (configuration changes users can make to reduce their exposure to the vulnerability)
      - x. If applicable, credits to the original reporter
-    - c. Release finalized vulnerability announcement on website and reddit /r/Monero (/r/Kovri for kovri)
+    - c. Release finalized vulnerability announcement on public communications platform (mailing list, reddit, website, or other)
    - d. For HIGH severities, release finalized vulnerability announcement on well-known mailing lists:
      - i. oss-security@lists.openwall.com
      - ii. bugtraq@securityfocus.com