From a61b8818efef72e82bed8c787e044a565b0c62a8 Mon Sep 17 00:00:00 2001 From: anonimal Date: Sat, 9 Mar 2019 00:49:20 +0000 Subject: [PATCH] VRP: redefine public communications platform As we agreed to (the VRP team). --- VULNERABILITY_RESPONSE_PROCESS.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/VULNERABILITY_RESPONSE_PROCESS.md b/VULNERABILITY_RESPONSE_PROCESS.md index d32f2f1..14c8ced 100644 --- a/VULNERABILITY_RESPONSE_PROCESS.md +++ b/VULNERABILITY_RESPONSE_PROCESS.md @@ -90,7 +90,7 @@ PGP fingerprint = 1218 6272 CD48 E253 9E2D D29B 66A7 6ECF 9144 09F1 - d. If there are any disputes regarding bug severity, the Monero Response team will ultimately define bug severity 7. Respond according to the severity of the vulnerability: - - a. HIGH severities must be notified on website and reddit /r/Monero (/r/Kovri for kovri) within 3 working days of classification + - a. HIGH severities will be notified via at least one public communications platform (mailing list, reddit, website, or other) within 3 working days of patch release - i. The notification should list appropriate steps for users to take, if any - ii. The notification must not include any details that could suggest an exploitation path - iii. The latter takes precedence over the former @@ -130,7 +130,7 @@ PGP fingerprint = 1218 6272 CD48 E253 9E2D D29B 66A7 6ECF 9144 09F1 - viii. Mitigating factors (for example, the vulnerability is only exposed in uncommon, non-default configurations) - ix. Workarounds (configuration changes users can make to reduce their exposure to the vulnerability) - x. If applicable, credits to the original reporter - - c. Release finalized vulnerability announcement on website and reddit /r/Monero (/r/Kovri for kovri) + - c. Release finalized vulnerability announcement on public communications platform (mailing list, reddit, website, or other) - d. For HIGH severities, release finalized vulnerability announcement on well-known mailing lists: - i. oss-security@lists.openwall.com - ii. bugtraq@securityfocus.com