RE: Call for Community Feedback: Guidance on Reporting Protocol Vulnerabilities
Roman Danyliw <rdd@cert.org> Fri, 06 November 2020 02:42 UTC
Return-Path: <rdd@cert.org>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 412DE3A0656 for <ietf@ietfa.amsl.com>; Thu, 5 Nov 2020 18:42:27 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cert.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fCfeq-y6KK93 for <ietf@ietfa.amsl.com>; Thu, 5 Nov 2020 18:42:25 -0800 (PST)
Received: from taper.sei.cmu.edu (taper.sei.cmu.edu [147.72.252.16]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 64A513A047D for <ietf@ietf.org>; Thu, 5 Nov 2020 18:42:25 -0800 (PST)
Received: from korb.sei.cmu.edu (korb.sei.cmu.edu [10.64.21.30]) by taper.sei.cmu.edu (8.14.7/8.14.7) with ESMTP id 0A62gMNt028879; Thu, 5 Nov 2020 21:42:22 -0500
DKIM-Filter: OpenDKIM Filter v2.11.0 taper.sei.cmu.edu 0A62gMNt028879
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cert.org; s=yc2bmwvrj62m; t=1604630542; bh=0vEuJZZOKsm35V2RJ45Dg1agWJaQez9lwb8T0DbD54g=; h=From:To:Subject:Date:References:In-Reply-To:From; b=DLRliTbJxF7MXHJnVt8gs/6q8Qgk/mFVxWyagB4Ud6bEr124rJGxIc74KuD2FKs3A LUafhY1jgBf9NhG0eMix//xuOUWeldtxzbzVT7vfQokGlXiTY+ZeCQqQgfvh8809cJ MoYtvts64IDpAVJpo70A5+SXGaIdSQEzYRBVP4zE=
Received: from MURIEL.ad.sei.cmu.edu (muriel.ad.sei.cmu.edu [147.72.252.47]) by korb.sei.cmu.edu (8.14.7/8.14.7) with ESMTP id 0A62gHLp008950; Thu, 5 Nov 2020 21:42:17 -0500
Received: from MORRIS.ad.sei.cmu.edu (147.72.252.46) by MURIEL.ad.sei.cmu.edu (147.72.252.47) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2106.2; Thu, 5 Nov 2020 21:42:17 -0500
Received: from MORRIS.ad.sei.cmu.edu ([fe80::555b:9498:552e:d1bb]) by MORRIS.ad.sei.cmu.edu ([fe80::555b:9498:552e:d1bb%13]) with mapi id 15.01.2106.002; Thu, 5 Nov 2020 21:42:17 -0500
From: Roman Danyliw <rdd@cert.org>
To: "Salz, Rich" <rsalz@akamai.com>, "ietf@ietf.org" <ietf@ietf.org>
Subject: RE: Call for Community Feedback: Guidance on Reporting Protocol Vulnerabilities
Thread-Topic: Call for Community Feedback: Guidance on Reporting Protocol Vulnerabilities
Thread-Index: Adapa+D5Cfcs8r0xT9Wg091feiESVgACv7UAAJ13sKAB/mDbsA==
Date: Fri, 06 Nov 2020 02:42:15 +0000
Message-ID: <eb83b4fc5ba741a6bf7da1d78ad65f6d@cert.org>
References: <5081794697df44d8bd76b675cf08dc23@cert.org> <EB7E8597-087A-4E84-A90E-DC8DF7F089EB@akamai.com> <9d7e132e8ede40de841ebd99c45a34ac@cert.org>
In-Reply-To: <9d7e132e8ede40de841ebd99c45a34ac@cert.org>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.64.202.126]
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/ietf/LhjjK33BVn61actbuAvxe8q0ps4>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 06 Nov 2020 02:42:27 -0000
Hi Rich! > -----Original Message----- > From: Roman Danyliw > Sent: Monday, October 26, 2020 7:09 PM > To: 'Salz, Rich' <rsalz@akamai.com>; ietf@ietf.org > Subject: RE: Call for Community Feedback: Guidance on Reporting Protocol > Vulnerabilities > > Hi Rich! > > Thanks for the review. > > > -----Original Message----- > > From: Salz, Rich <rsalz@akamai.com> > > Sent: Friday, October 23, 2020 3:58 PM > > To: Roman Danyliw <rdd@cert.org>; ietf@ietf.org > > Subject: Re: Call for Community Feedback: Guidance on Reporting > > Protocol Vulnerabilities > > > > I would put the "WE don't pay" sentence at the top, right after the > > intro paragraph. The introductory section now closes with this "we don't pay" caution: https://github.com/ietf/vul-reporting-guidance/commit/edd6ac432d106482a09199bfb9a139c934249577 Regards, Roman > Yes, that can added more prominently in the initial introductory text. > > Regards, > Roman > > > On 10/23/20, 2:46 PM, "Roman Danyliw" <rdd@cert.org> wrote: > > > > Hi! > > > > The Internet Engineering Steering Group (IESG) is seeking > > community input on reporting protocol vulnerabilities to the IETF. > > Specifically, the IESG is proposing guidance to be added to the > > website at [1] to raise awareness on how the IETF handles this > > information in the standards process. The full text (which would be > converted to a web page) is at: > > > > https://urldefense.proofpoint.com/v2/url?u=https- > > 3A__www.ietf.org_media_documents_Guidance-5Fon-5FReporting- > > 5FVulnerabilities-5Fto-5Fthe-5FIETF- > > > 5FsqEX1Ly.pdf&d=DwIFAg&c=96ZbZZcaMF4w0F4jpN6LZg&r=4LM0GbR0h9Fvx8 > > 6FtsKI- > > w&m=ZJ9CHNaxYta4Rwzv9CsBCZ7S64SWbQDTXAsV8KWP_AU&s=WZ8lhkI2- > > LqfcEW09br2ItDhqh8U456y_8xZlTzatI0&e= > > > > This text is intended to be written in an accessible style to help > > vulnerability researchers, who may not be familiar with the IETF, > > navigate existing processes to disclose and remediate these > > vulnerabilities. With the exception of creating a last resort > > reporting email alias (protocol-vulnerability@ietf.org), this text is > > describing current practices in the IETF, albeit ones that may not be > consistently applied. > > > > This guidance will serve as a complement to the recently written > > IETF LLC infrastructure and protocol vulnerability disclosure statement [2]. > > > > The IESG appreciates any input from the community on the proposed > > text and will consider all input received by November 7, 2020. > > > > Regards, > > Roman > > (for the IESG) > > > > [1] This guidance text would be added to a new URL at > > https://urldefense.proofpoint.com/v2/url?u=https- > > > 3A__www.ietf.org_standards_rfcs_vulnerabilities&d=DwIFAg&c=96ZbZZcaMF4 > > w0F4jpN6LZg&r=4LM0GbR0h9Fvx86FtsKI- > > > w&m=ZJ9CHNaxYta4Rwzv9CsBCZ7S64SWbQDTXAsV8KWP_AU&s=lWrYlX1pV0 > > mIGIcyUbXXN4Bl4YdeeGExr508slPDgW8&e= , and then referenced from > > https://urldefense.proofpoint.com/v2/url?u=http- > > > 3A__www.ietf.org_contact&d=DwIFAg&c=96ZbZZcaMF4w0F4jpN6LZg&r=4LM0 > > GbR0h9Fvx86FtsKI- > > > w&m=ZJ9CHNaxYta4Rwzv9CsBCZ7S64SWbQDTXAsV8KWP_AU&s=dVVEqnGAgx > > YTWKmevWh2AwAdymUCMQGs85MMBB2FYPs&e= , > > https://urldefense.proofpoint.com/v2/url?u=https- > > > 3A__www.ietf.org_standards_process_&d=DwIFAg&c=96ZbZZcaMF4w0F4jpN6 > > LZg&r=4LM0GbR0h9Fvx86FtsKI- > > w&m=ZJ9CHNaxYta4Rwzv9CsBCZ7S64SWbQDTXAsV8KWP_AU&s=A2QnAr- > > kezfIPFF3J92rsAfyrfHzpdFR2gquELSO_5w&e= , > > https://urldefense.proofpoint.com/v2/url?u=https- > > > 3A__www.ietf.org_standards_rfcs_&d=DwIFAg&c=96ZbZZcaMF4w0F4jpN6LZg > > &r=4LM0GbR0h9Fvx86FtsKI- > > > w&m=ZJ9CHNaxYta4Rwzv9CsBCZ7S64SWbQDTXAsV8KWP_AU&s=KtvC1SVlfZT > > cFhsHQ9RvF_nm856pcSrouxEKNahI5UQ&e= , and > > https://urldefense.proofpoint.com/v2/url?u=https- > > > 3A__www.ietf.org_topics_security_&d=DwIFAg&c=96ZbZZcaMF4w0F4jpN6LZg > > &r=4LM0GbR0h9Fvx86FtsKI- > > > w&m=ZJ9CHNaxYta4Rwzv9CsBCZ7S64SWbQDTXAsV8KWP_AU&s=EN9keXxRYE > > MvBt-h9ugFVkY3-MUUAv-X9mP7OpOa_po&e= > > > > [2] https://urldefense.proofpoint.com/v2/url?u=https- > > 3A__www.ietf.org_about_administration_policies-2Dprocedures_vulnerabil > > ity- > > > 2Ddisclosure&d=DwIFAg&c=96ZbZZcaMF4w0F4jpN6LZg&r=4LM0GbR0h9Fvx86 > > FtsKI- > > > w&m=ZJ9CHNaxYta4Rwzv9CsBCZ7S64SWbQDTXAsV8KWP_AU&s=VAKeetf0jcE > > omZCLvqzNjCqSADPvsRZPugO5CUryXDI&e= > > > >
- Call for Community Feedback: Guidance on Reportin… Roman Danyliw
- Re: Call for Community Feedback: Guidance on Repo… Salz, Rich
- Re: Call for Community Feedback: Guidance on Repo… Dan Harkins
- Re: Call for Community Feedback: Guidance on Repo… Eliot Lear
- Re: Call for Community Feedback: Guidance on Repo… Töma Gavrichenkov
- Re: Call for Community Feedback: Guidance on Repo… Michael Richardson
- Re: Call for Community Feedback: Guidance on Repo… Toerless Eckert
- Re: Call for Community Feedback: Guidance on Repo… Loganaden Velvindron
- Re: Call for Community Feedback: Guidance on Repo… Toerless Eckert
- RE: Call for Community Feedback: Guidance on Repo… Roman Danyliw
- RE: Call for Community Feedback: Guidance on Repo… Roman Danyliw
- RE: Call for Community Feedback: Guidance on Repo… Roman Danyliw
- RE: Call for Community Feedback: Guidance on Repo… Roman Danyliw
- Re: Call for Community Feedback: Guidance on Repo… Eliot Lear
- Re: Call for Community Feedback: Guidance on Repo… Toerless Eckert
- Re: Call for Community Feedback: Guidance on Repo… Salz, Rich
- Re: Call for Community Feedback: Guidance on Repo… Toerless Eckert
- Re: Call for Community Feedback: Guidance on Repo… Salz, Rich
- Re: Call for Community Feedback: Guidance on Repo… Michael Thomas
- Re: Call for Community Feedback: Guidance on Repo… Michael Richardson
- Re: Call for Community Feedback: Guidance on Repo… Phillip Hallam-Baker
- Re: Call for Community Feedback: Guidance on Repo… ned+ietf
- Re: Call for Community Feedback: Guidance on Repo… Michael Thomas
- Re: Call for Community Feedback: Guidance on Repo… Michael Thomas
- Re: Call for Community Feedback: Guidance on Repo… Eliot Lear
- RE: Call for Community Feedback: Guidance on Repo… Roman Danyliw
- RE: Call for Community Feedback: Guidance on Repo… Roman Danyliw
- Re: Call for Community Feedback: Guidance on Repo… Pete Resnick
- Re: Call for Community Feedback: Guidance on Repo… Salz, Rich
- Re: Call for Community Feedback: Guidance on Repo… Michael Thomas
- Re: Call for Community Feedback: Guidance on Repo… ned+ietf
- Re: Call for Community Feedback: Guidance on Repo… Michael Thomas
- Re: Call for Community Feedback: Guidance on Repo… Michael Thomas
- Re: Call for Community Feedback: Guidance on Repo… Eliot Lear
- RE: Call for Community Feedback: Guidance on Repo… Roman Danyliw
- Re: Call for Community Feedback: Guidance on Repo… Michael Thomas
- Re: Call for Community Feedback: Guidance on Repo… Toerless Eckert
- Re: Call for Community Feedback: Guidance on Repo… Eliot Lear
- Re: Call for Community Feedback: Guidance on Repo… Salz, Rich
- Re: Call for Community Feedback: Guidance on Repo… Michael Thomas
- RE: Call for Community Feedback: Guidance on Repo… Roman Danyliw
- Re: Call for Community Feedback: Guidance on Repo… Toerless Eckert
- Re: Call for Community Feedback: Guidance on Repo… Eliot Lear
- Re: Call for Community Feedback: Guidance on Repo… Michael Thomas
- Re: Call for Community Feedback: Guidance on Repo… Pete Resnick
- Re: Call for Community Feedback: Guidance on Repo… Michael Thomas
- Re: Call for Community Feedback: Guidance on Repo… Eliot Lear
- Re: Call for Community Feedback: Guidance on Repo… Pete Resnick
- Re: Call for Community Feedback: Guidance on Repo… Michael Thomas
- Re: Call for Community Feedback: Guidance on Repo… Toerless Eckert
- Re: Call for Community Feedback: Guidance on Repo… Michael Thomas
- Re: Call for Community Feedback: Guidance on Repo… Benjamin Kaduk
- Re: Call for Community Feedback: Guidance on Repo… Benjamin Kaduk
- Re: Call for Community Feedback: Guidance on Repo… Benjamin Kaduk
- Re: Call for Community Feedback: Guidance on Repo… Benjamin Kaduk
- Re: Call for Community Feedback: Guidance on Repo… Joel M. Halpern
- Re: Call for Community Feedback: Guidance on Repo… Benjamin Kaduk
- Re: Call for Community Feedback: Guidance on Repo… Jay Daley
- Re: Call for Community Feedback: Guidance on Repo… Michael Thomas
- Re: Call for Community Feedback: Guidance on Repo… Michael Thomas
- RE: Call for Community Feedback: Guidance on Repo… Roman Danyliw
- Re: Call for Community Feedback: Guidance on Repo… Eliot Lear
- RE: Call for Community Feedback: Guidance on Repo… Roman Danyliw
- RE: Call for Community Feedback: Guidance on Repo… Roman Danyliw
- RE: Call for Community Feedback: Guidance on Repo… Roman Danyliw
- Re: Call for Community Feedback: Guidance on Repo… Eliot Lear
- RE: Call for Community Feedback: Guidance on Repo… Roman Danyliw
- RE: Call for Community Feedback: Guidance on Repo… Roman Danyliw
- Re: Call for Community Feedback: Guidance on Repo… Dan Harkins