Consultation on DRAFT Infrastructure and Services Vulnerability Disclosure Statement

IETF Executive Director <> Tue, 04 August 2020 03:33 UTC

Return-Path: <>
Received: from (localhost [IPv6:::1]) by (Postfix) with ESMTP id BE04B3A0A68 for <>; Mon, 3 Aug 2020 20:33:22 -0700 (PDT)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
From: IETF Executive Director <>
To: "IETF Announcement List" <>
Subject: Consultation on DRAFT Infrastructure and Services Vulnerability Disclosure Statement
X-Test-IDTracker: no
X-IETF-IDTracker: 7.12.0
Auto-Submitted: auto-generated
Precedence: bulk
Message-ID: <>
Date: Mon, 03 Aug 2020 20:33:22 -0700
Archived-At: <>
X-Mailman-Version: 2.1.29
List-Id: "IETF announcement list. No discussions." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 04 Aug 2020 03:33:23 -0000

The IETF Administration LLC is seeking feedback on a DRAFT Infrastructure and Services Vulnerability Disclosure Statement [1], which it proposes to adopt and publish on the IETF website.

A vulnerability disclosure statement sets out how anyone discovering a vulnerability with the IETF infrastructure or services can report this vulnerability without fear of legal action and how they can expect it to be handled.  The intent of such a statement is to ensure that such vulnerabilities are responsibly disclosed to the IETF LLC and the IETF LLC can ensure that any necessary action is taken, before the vulnerability is widely disclosed.  This statement is limited to the IETF infrastructure and services as those are the responsibility of the IETF LLC and does not cover protocol vulnerabilities, which are the responsibility of the IESG.

The text of the draft statement follows best practice for such statements and for those familiar with this practice, will seem similar to the text used by many other organisations [2] [3].

The IETF LLC is interested in the views of the community, particularly from those familiar with this practice, on the following:

* General views on the vulnerability statement.
* The proposed mechanism for reporting a vulnerability.
* Whether or not this statement should be supplemented with a "bug bounty" program.
* What the email address should be for reports to be sent to.

The consultation on this Draft Strategic Plan 2020 starts on Tuesday 4 August and closes on Monday 17 August 2020 at 00:00 UTC.  It will be extended if needed.

If you have any comments or questions then you can submit those by any of the following methods:

* Raising an issue on this Github repository
* Direct to the IETF Executive Director at
* Direct to the IETF LLC Board (not including the IETF Executive Director) at 
* To the list


Jay Daley
IETF Executive Director