VRP: redefine public communications platform

As we agreed to (the VRP team).
This commit is contained in:
anonimal 2019-03-09 00:49:20 +00:00
parent bcea379ffa
commit a61b8818ef
No known key found for this signature in database
GPG key ID: 66A76ECF914409F1

View file

@ -90,7 +90,7 @@ PGP fingerprint = 1218 6272 CD48 E253 9E2D D29B 66A7 6ECF 9144 09F1
- d. If there are any disputes regarding bug severity, the Monero Response team will ultimately define bug severity - d. If there are any disputes regarding bug severity, the Monero Response team will ultimately define bug severity
7. Respond according to the severity of the vulnerability: 7. Respond according to the severity of the vulnerability:
- a. HIGH severities must be notified on website and reddit /r/Monero (/r/Kovri for kovri) within 3 working days of classification - a. HIGH severities will be notified via at least one public communications platform (mailing list, reddit, website, or other) within 3 working days of patch release
- i. The notification should list appropriate steps for users to take, if any - i. The notification should list appropriate steps for users to take, if any
- ii. The notification must not include any details that could suggest an exploitation path - ii. The notification must not include any details that could suggest an exploitation path
- iii. The latter takes precedence over the former - iii. The latter takes precedence over the former
@ -130,7 +130,7 @@ PGP fingerprint = 1218 6272 CD48 E253 9E2D D29B 66A7 6ECF 9144 09F1
- viii. Mitigating factors (for example, the vulnerability is only exposed in uncommon, non-default configurations) - viii. Mitigating factors (for example, the vulnerability is only exposed in uncommon, non-default configurations)
- ix. Workarounds (configuration changes users can make to reduce their exposure to the vulnerability) - ix. Workarounds (configuration changes users can make to reduce their exposure to the vulnerability)
- x. If applicable, credits to the original reporter - x. If applicable, credits to the original reporter
- c. Release finalized vulnerability announcement on website and reddit /r/Monero (/r/Kovri for kovri) - c. Release finalized vulnerability announcement on public communications platform (mailing list, reddit, website, or other)
- d. For HIGH severities, release finalized vulnerability announcement on well-known mailing lists: - d. For HIGH severities, release finalized vulnerability announcement on well-known mailing lists:
- i. oss-security@lists.openwall.com - i. oss-security@lists.openwall.com
- ii. bugtraq@securityfocus.com - ii. bugtraq@securityfocus.com