Re: Call for Community Feedback: Guidance on Reporting Protocol Vulnerabilities

Töma Gavrichenkov <> Mon, 26 October 2020 09:58 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id E6A953A1A54 for <>; Mon, 26 Oct 2020 02:58:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id dXPGIeH_9xB8 for <>; Mon, 26 Oct 2020 02:58:05 -0700 (PDT)
Received: from ( [IPv6:2607:f8b0:4864:20::b32]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id BF8613A1A4F for <>; Mon, 26 Oct 2020 02:58:05 -0700 (PDT)
Received: by with SMTP id d15so7113619ybl.10 for <>; Mon, 26 Oct 2020 02:58:05 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=wLvjhWPq9kI5yzW/S0pvt8SYZgSVQhgx2QjRncgtW0g=; b=lWOt3RzfQrJUaRMFR62+Yv90/PvFLdSH/5ENmKjd9s1/hIJW4R/r5whfMMXw3PIaN4 j6JNZnQ9s8+e/nUxhLPJ6sWT049iac+w41pFQCfrMwZC8Am1E95c7oYpUj9HWCE+KNTT asIqhJl/YShit3nY6RtDfBRFGtEdkrs5AOu7aIhoI80072FWt9BwHi+7k/DHb4A7H0/+ Gcgx3Ul67dgYJ8K+AXRe0SA02hHyWWbV+j6SY1xqDu2O5VUoKR3Rr1c37yxBJNYZAO77 UgQn6QX1Ag6WJsUD4YqbATCp3Tuq5HkiryGwTG5HZFdQ5/AMa23MTeTNyTZO/HdxmeXA dGOA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=wLvjhWPq9kI5yzW/S0pvt8SYZgSVQhgx2QjRncgtW0g=; b=HuFWBdTGjtGpqGg8Zfaf7Q/FEGvkcIHPWSsnO47Bvw7aYBev8to305MefAVlA4xx0v HWNdyYyzmx8+gSY51Fxa21LDx13dHnu53XUekg2tpj+C/u4IKtbzj2eWLCC9MboX7zKi sxWrZF/U5XqLVnYU/gMpdLp29lUd/zaJDNKr3aBqaSs8RY50BDjS46eCjCBT1ABI6zVI qRVjHterRMUz6YzdL/e+KvYQfTNcnejPaiLA7Pfk+uSEtQnHYOuc+N8xDQhyMfQ+uZRd Xh6vSUbq6OHeJIyI8bCNdKu421pCj9zOqGBzToC4aW1Cb0QEBMEyRWY9Fpq5odjubRY8 0vkg==
X-Gm-Message-State: AOAM531eJvry0psbsIp9LI2Gb8YYeri0q//dhT4BTq/9ko7c3Hy+KfsY VGBIJmp6JSsvYSbz9YWa51jqUNWnpvrvG3NRLEBqZbfbuME=
X-Google-Smtp-Source: ABdhPJwTN6JBVJ8bwQuHwIEDhdXjD2BULFXJ6vTWJFbYlp05Lm2yKGR5SUQllccgevKm3LBJzIY6BH7sKmn4NWNkBdA=
X-Received: by 2002:a25:8686:: with SMTP id z6mr18467936ybk.480.1603706284751; Mon, 26 Oct 2020 02:58:04 -0700 (PDT)
MIME-Version: 1.0
References: <> <>
In-Reply-To: <>
From: =?UTF-8?Q?T=C3=B6ma_Gavrichenkov?= <>
Date: Mon, 26 Oct 2020 12:57:53 +0300
Message-ID: <>
Subject: Re: Call for Community Feedback: Guidance on Reporting Protocol Vulnerabilities
To: "Salz, Rich" <>
Cc: Roman Danyliw <>, IETF Rinse Repeat <>
Content-Type: multipart/alternative; boundary="0000000000006d3e7105b28ff738"
Archived-At: <>
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF-Discussion <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 26 Oct 2020 09:58:07 -0000


On Fri, Oct 23, 2020, 10:59 PM Salz, Rich <>

> I would put the "WE don't pay" sentence at the top, right after the intro
> paragraph.

Vendors might have their own bug bounties for the protocols they
implement.  Nonprofit organizations might have bounties for protocol
security research, to ensure safer Internet in general.  Looking for those
should be suggested then.  "We don't pay" is a powerful message which, when
it comes down to a typical Initech, generally implies "we don't care".

A list of sponsoring and shepherding organizations offering bounties for
vulnerabilities found in the WG documents might be published for each of
the WGs (just a suggestion).  One might argue then that processing
potential vulnerabilities through the IETF process might be easier together
with points of contact in those vendors who were responsible for document
development and implementation, as opposed to doing it with the
vulnerability researchers directly.  For those researchers, IETF processes
might seem, well, unusual.