Re: Call for Community Feedback: Guidance on Reporting Protocol Vulnerabilities

Eliot Lear <> Wed, 28 October 2020 10:33 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id D67943A07E6 for <>; Wed, 28 Oct 2020 03:33:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -9.6
X-Spam-Status: No, score=-9.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id Juq0y0AiIUW4 for <>; Wed, 28 Oct 2020 03:33:47 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 1D8973A07D3 for <>; Wed, 28 Oct 2020 03:33:46 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;;; l=6712; q=dns/txt; s=iport; t=1603881227; x=1605090827; h=from:message-id:mime-version:subject:date:in-reply-to:cc: to:references; bh=PVYZVC1XYiLttip06vzFcSaoL/VnoUVCIsBN2tCv47s=; b=TRM3M45yDp1Su/bzSHiVFHxpynCTVGn9QH2MSrvb7dYPHBLXTMcjkjsC gdA6TOToO/L8aYYoN/nDQBVC7Oe5ul2Z4EL+xg2cxIvcqaH4qGARrmhPz 14DjsZ5KH97r+YOc11LkLACXfw5mux8iPxsQiazqVJQZAQHMyFdw+2W9d 0=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0BTAACeSJlf/xbLJq1gHAEBAQEBAQc?= =?us-ascii?q?BARIBAQQEAQGBfQUBAQsBgSKCTAEyLYQ9iQWHZyaUC4YdFIFpCwEBAQ0BAS8?= =?us-ascii?q?EAQGESgKCBiY2Bw4CAwEBCwEBBQEBAQIBBgRthW2FcgEBAQECAR0GSwsFCws?= =?us-ascii?q?OCicDAgJGEQYTFIMSgl0gqS92gTKFV4UIgTgBjVOCAIE4DBCCTT6ECAESAYM?= =?us-ascii?q?4M4IsBKZzkRqCdYMYjE2LGwMfgxeKDoUgKY5ysB2DXwIEBgUCFYFbBi1ncDM?= =?us-ascii?q?aCBsVOyoBgj4+EhkNnGlAAzA4AgYBCQEBAwmOSAEB?=
X-IronPort-AV: E=Sophos; i="5.77,426,1596499200"; d="scan'208,217"; a="30634513"
Received: from (HELO ([]) by with ESMTP/TLS/DHE-RSA-SEED-SHA; 28 Oct 2020 10:33:42 +0000
Received: from [] ([]) by (8.15.2/8.15.2) with ESMTPS id 09SAXfva026597 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Wed, 28 Oct 2020 10:33:42 GMT
From: Eliot Lear <>
Message-Id: <>
Content-Type: multipart/alternative; boundary="Apple-Mail=_1D03BEC4-F934-4F99-882F-0B9511B668C6"
Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.\))
Subject: Re: Call for Community Feedback: Guidance on Reporting Protocol Vulnerabilities
Date: Wed, 28 Oct 2020 11:33:41 +0100
In-Reply-To: <>
Cc: The IETF List <>
To: Roman Danyliw <>
References: <> <> <> <> <>
X-Mailer: Apple Mail (2.3608.
X-Outbound-SMTP-Client:, []
Archived-At: <>
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF-Discussion <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 28 Oct 2020 10:33:49 -0000

Hi Roman,

> On 27 Oct 2020, at 20:06, Roman Danyliw <> wrote:
> Hi Eliot!
> [Roman] In my view, the proposed text effectively says “this is the IETF process and as a last resort, please use the catch all alias”.  My read of your tighter text is the opposite, “here is a new reporting  alias, consider also getting involved in the IETF processes”.  Put in another way, we are actively steering away from established processes (e.g., using the mailing lists) and preferring the triage alias as the first step.  With the reduced text, we are not longer explaining “all the usual processes”.

Ok, Here’s a slightly tweaked version of that text to address how you read the doc:

If you believe you’ve discovered a protocol vulnerability, we very much welcome your contribution.  
You are also invited to take your findings to any open IETF working group or mailing list that you believe would be appropriate, in order to discuss protocol improvements to address any vulnerabilities.  If you do not know which IETF working group or mailing list to use or otherwise need help with our processes, we invite you to email “ <>” as well as the document authors, and we will assist you.  All of our work is public, and therefore, disclosing to a working group or mailing list is public.  In some cases, we may ask you to file an erratum, and we will be happy to guide you through that process.

Again, fewer words are better.  And again, adding a few sentences about expectations is just fine.  This should make clear that the mailing list is intended to provide assistance, not triage, and it is entirely optional.

Does that make it clearer that we’re not gate keeping?