Re: Call for Community Feedback: Guidance on Reporting Protocol Vulnerabilities
Töma Gavrichenkov <ximaera@gmail.com> Mon, 26 October 2020 09:58 UTC
Return-Path: <ximaera@gmail.com>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E6A953A1A54 for <ietf@ietfa.amsl.com>; Mon, 26 Oct 2020 02:58:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dXPGIeH_9xB8 for <ietf@ietfa.amsl.com>; Mon, 26 Oct 2020 02:58:05 -0700 (PDT)
Received: from mail-yb1-xb32.google.com (mail-yb1-xb32.google.com [IPv6:2607:f8b0:4864:20::b32]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BF8613A1A4F for <ietf@ietf.org>; Mon, 26 Oct 2020 02:58:05 -0700 (PDT)
Received: by mail-yb1-xb32.google.com with SMTP id d15so7113619ybl.10 for <ietf@ietf.org>; Mon, 26 Oct 2020 02:58:05 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=wLvjhWPq9kI5yzW/S0pvt8SYZgSVQhgx2QjRncgtW0g=; b=lWOt3RzfQrJUaRMFR62+Yv90/PvFLdSH/5ENmKjd9s1/hIJW4R/r5whfMMXw3PIaN4 j6JNZnQ9s8+e/nUxhLPJ6sWT049iac+w41pFQCfrMwZC8Am1E95c7oYpUj9HWCE+KNTT asIqhJl/YShit3nY6RtDfBRFGtEdkrs5AOu7aIhoI80072FWt9BwHi+7k/DHb4A7H0/+ Gcgx3Ul67dgYJ8K+AXRe0SA02hHyWWbV+j6SY1xqDu2O5VUoKR3Rr1c37yxBJNYZAO77 UgQn6QX1Ag6WJsUD4YqbATCp3Tuq5HkiryGwTG5HZFdQ5/AMa23MTeTNyTZO/HdxmeXA dGOA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=wLvjhWPq9kI5yzW/S0pvt8SYZgSVQhgx2QjRncgtW0g=; b=HuFWBdTGjtGpqGg8Zfaf7Q/FEGvkcIHPWSsnO47Bvw7aYBev8to305MefAVlA4xx0v HWNdyYyzmx8+gSY51Fxa21LDx13dHnu53XUekg2tpj+C/u4IKtbzj2eWLCC9MboX7zKi sxWrZF/U5XqLVnYU/gMpdLp29lUd/zaJDNKr3aBqaSs8RY50BDjS46eCjCBT1ABI6zVI qRVjHterRMUz6YzdL/e+KvYQfTNcnejPaiLA7Pfk+uSEtQnHYOuc+N8xDQhyMfQ+uZRd Xh6vSUbq6OHeJIyI8bCNdKu421pCj9zOqGBzToC4aW1Cb0QEBMEyRWY9Fpq5odjubRY8 0vkg==
X-Gm-Message-State: AOAM531eJvry0psbsIp9LI2Gb8YYeri0q//dhT4BTq/9ko7c3Hy+KfsY VGBIJmp6JSsvYSbz9YWa51jqUNWnpvrvG3NRLEBqZbfbuME=
X-Google-Smtp-Source: ABdhPJwTN6JBVJ8bwQuHwIEDhdXjD2BULFXJ6vTWJFbYlp05Lm2yKGR5SUQllccgevKm3LBJzIY6BH7sKmn4NWNkBdA=
X-Received: by 2002:a25:8686:: with SMTP id z6mr18467936ybk.480.1603706284751; Mon, 26 Oct 2020 02:58:04 -0700 (PDT)
MIME-Version: 1.0
References: <5081794697df44d8bd76b675cf08dc23@cert.org> <EB7E8597-087A-4E84-A90E-DC8DF7F089EB@akamai.com>
In-Reply-To: <EB7E8597-087A-4E84-A90E-DC8DF7F089EB@akamai.com>
From: Töma Gavrichenkov <ximaera@gmail.com>
Date: Mon, 26 Oct 2020 12:57:53 +0300
Message-ID: <CALZ3u+Z6RNGspz=sXRhWwqMRUJKwwnApKFnT_p+0-z+DNahKNA@mail.gmail.com>
Subject: Re: Call for Community Feedback: Guidance on Reporting Protocol Vulnerabilities
To: "Salz, Rich" <rsalz=40akamai.com@dmarc.ietf.org>
Cc: Roman Danyliw <rdd@cert.org>, IETF Rinse Repeat <ietf@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000006d3e7105b28ff738"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ietf/5j6HBvL3KmYiGqH9ZEzVASJwFm4>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 26 Oct 2020 09:58:07 -0000
Peace, On Fri, Oct 23, 2020, 10:59 PM Salz, Rich <rsalz=40akamai.com@dmarc.ietf.org> wrote: > I would put the "WE don't pay" sentence at the top, right after the intro > paragraph. > Vendors might have their own bug bounties for the protocols they implement. Nonprofit organizations might have bounties for protocol security research, to ensure safer Internet in general. Looking for those should be suggested then. "We don't pay" is a powerful message which, when it comes down to a typical Initech, generally implies "we don't care". A list of sponsoring and shepherding organizations offering bounties for vulnerabilities found in the WG documents might be published for each of the WGs (just a suggestion). One might argue then that processing potential vulnerabilities through the IETF process might be easier together with points of contact in those vendors who were responsible for document development and implementation, as opposed to doing it with the vulnerability researchers directly. For those researchers, IETF processes might seem, well, unusual. -- Töma >
- Call for Community Feedback: Guidance on Reportin… Roman Danyliw
- Re: Call for Community Feedback: Guidance on Repo… Salz, Rich
- Re: Call for Community Feedback: Guidance on Repo… Dan Harkins
- Re: Call for Community Feedback: Guidance on Repo… Eliot Lear
- Re: Call for Community Feedback: Guidance on Repo… Töma Gavrichenkov
- Re: Call for Community Feedback: Guidance on Repo… Michael Richardson
- Re: Call for Community Feedback: Guidance on Repo… Toerless Eckert
- Re: Call for Community Feedback: Guidance on Repo… Loganaden Velvindron
- Re: Call for Community Feedback: Guidance on Repo… Toerless Eckert
- RE: Call for Community Feedback: Guidance on Repo… Roman Danyliw
- RE: Call for Community Feedback: Guidance on Repo… Roman Danyliw
- RE: Call for Community Feedback: Guidance on Repo… Roman Danyliw
- RE: Call for Community Feedback: Guidance on Repo… Roman Danyliw
- Re: Call for Community Feedback: Guidance on Repo… Eliot Lear
- Re: Call for Community Feedback: Guidance on Repo… Toerless Eckert
- Re: Call for Community Feedback: Guidance on Repo… Salz, Rich
- Re: Call for Community Feedback: Guidance on Repo… Toerless Eckert
- Re: Call for Community Feedback: Guidance on Repo… Salz, Rich
- Re: Call for Community Feedback: Guidance on Repo… Michael Thomas
- Re: Call for Community Feedback: Guidance on Repo… Michael Richardson
- Re: Call for Community Feedback: Guidance on Repo… Phillip Hallam-Baker
- Re: Call for Community Feedback: Guidance on Repo… ned+ietf
- Re: Call for Community Feedback: Guidance on Repo… Michael Thomas
- Re: Call for Community Feedback: Guidance on Repo… Michael Thomas
- Re: Call for Community Feedback: Guidance on Repo… Eliot Lear
- RE: Call for Community Feedback: Guidance on Repo… Roman Danyliw
- RE: Call for Community Feedback: Guidance on Repo… Roman Danyliw
- Re: Call for Community Feedback: Guidance on Repo… Pete Resnick
- Re: Call for Community Feedback: Guidance on Repo… Salz, Rich
- Re: Call for Community Feedback: Guidance on Repo… Michael Thomas
- Re: Call for Community Feedback: Guidance on Repo… ned+ietf
- Re: Call for Community Feedback: Guidance on Repo… Michael Thomas
- Re: Call for Community Feedback: Guidance on Repo… Michael Thomas
- Re: Call for Community Feedback: Guidance on Repo… Eliot Lear
- RE: Call for Community Feedback: Guidance on Repo… Roman Danyliw
- Re: Call for Community Feedback: Guidance on Repo… Michael Thomas
- Re: Call for Community Feedback: Guidance on Repo… Toerless Eckert
- Re: Call for Community Feedback: Guidance on Repo… Eliot Lear
- Re: Call for Community Feedback: Guidance on Repo… Salz, Rich
- Re: Call for Community Feedback: Guidance on Repo… Michael Thomas
- RE: Call for Community Feedback: Guidance on Repo… Roman Danyliw
- Re: Call for Community Feedback: Guidance on Repo… Toerless Eckert
- Re: Call for Community Feedback: Guidance on Repo… Eliot Lear
- Re: Call for Community Feedback: Guidance on Repo… Michael Thomas
- Re: Call for Community Feedback: Guidance on Repo… Pete Resnick
- Re: Call for Community Feedback: Guidance on Repo… Michael Thomas
- Re: Call for Community Feedback: Guidance on Repo… Eliot Lear
- Re: Call for Community Feedback: Guidance on Repo… Pete Resnick
- Re: Call for Community Feedback: Guidance on Repo… Michael Thomas
- Re: Call for Community Feedback: Guidance on Repo… Toerless Eckert
- Re: Call for Community Feedback: Guidance on Repo… Michael Thomas
- Re: Call for Community Feedback: Guidance on Repo… Benjamin Kaduk
- Re: Call for Community Feedback: Guidance on Repo… Benjamin Kaduk
- Re: Call for Community Feedback: Guidance on Repo… Benjamin Kaduk
- Re: Call for Community Feedback: Guidance on Repo… Benjamin Kaduk
- Re: Call for Community Feedback: Guidance on Repo… Joel M. Halpern
- Re: Call for Community Feedback: Guidance on Repo… Benjamin Kaduk
- Re: Call for Community Feedback: Guidance on Repo… Jay Daley
- Re: Call for Community Feedback: Guidance on Repo… Michael Thomas
- Re: Call for Community Feedback: Guidance on Repo… Michael Thomas
- RE: Call for Community Feedback: Guidance on Repo… Roman Danyliw
- Re: Call for Community Feedback: Guidance on Repo… Eliot Lear
- RE: Call for Community Feedback: Guidance on Repo… Roman Danyliw
- RE: Call for Community Feedback: Guidance on Repo… Roman Danyliw
- RE: Call for Community Feedback: Guidance on Repo… Roman Danyliw
- Re: Call for Community Feedback: Guidance on Repo… Eliot Lear
- RE: Call for Community Feedback: Guidance on Repo… Roman Danyliw
- RE: Call for Community Feedback: Guidance on Repo… Roman Danyliw
- Re: Call for Community Feedback: Guidance on Repo… Dan Harkins