Re: Call for Community Feedback: Guidance on Reporting Protocol Vulnerabilities

Dan Harkins <dharkins@lounge.org> Mon, 26 October 2020 04:51 UTC

Return-Path: <dharkins@lounge.org>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1D4983A18DA for <ietf@ietfa.amsl.com>; Sun, 25 Oct 2020 21:51:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.146
X-Spam-Level:
X-Spam-Status: No, score=-2.146 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, NICE_REPLY_A=-0.247, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0r-Ss5MtOtzW for <ietf@ietfa.amsl.com>; Sun, 25 Oct 2020 21:51:48 -0700 (PDT)
Received: from www.goatley.com (www.goatley.com [198.137.202.94]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7E1333A18D9 for <ietf@ietf.org>; Sun, 25 Oct 2020 21:51:47 -0700 (PDT)
Received: from trixy.bergandi.net (cpe-76-176-14-122.san.res.rr.com [76.176.14.122]) by wwwlocal.goatley.com (PMDF V6.8 #2433) with ESMTP id <0QIS03I0PLIBVH@wwwlocal.goatley.com> for ietf@ietf.org; Sun, 25 Oct 2020 23:51:47 -0500 (CDT)
Received: from blockhead.local ([69.12.173.8]) by trixy.bergandi.net (PMDF V6.7-x01 #2433) with ESMTPSA id <0QIS00221LB6O1@trixy.bergandi.net> for ietf@ietf.org; Sun, 25 Oct 2020 21:47:31 -0700 (PDT)
Received: from 69-12-173-8.static.dsltransport.net ([69.12.173.8] EXTERNAL) (EHLO blockhead.local) with TLS/SSL by trixy.bergandi.net ([10.0.42.18]) (PreciseMail V3.3); Sun, 25 Oct 2020 21:47:31 -0700
Date: Sun, 25 Oct 2020 21:51:45 -0700
From: Dan Harkins <dharkins@lounge.org>
Subject: Re: Call for Community Feedback: Guidance on Reporting Protocol Vulnerabilities
In-reply-to: <5081794697df44d8bd76b675cf08dc23@cert.org>
To: ietf@ietf.org
Message-id: <3965ff3d-af5a-addb-1c31-8c356c296329@lounge.org>
MIME-version: 1.0
Content-type: text/plain; charset="utf-8"; format="flowed"
Content-language: en-US
Content-transfer-encoding: 8bit
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:68.0) Gecko/20100101 Thunderbird/68.11.0
X-PMAS-SPF: SPF check skipped for authenticated session (recv=trixy.bergandi.net, send-ip=69.12.173.8)
X-PMAS-External-Auth: 69-12-173-8.static.dsltransport.net [69.12.173.8] (EHLO blockhead.local)
References: <5081794697df44d8bd76b675cf08dc23@cert.org>
X-PMAS-Software: PreciseMail V3.3 [201022b] (trixy.bergandi.net)
X-PMAS-Allowed: system rule (rule allow header:X-PMAS-External noexists)
Archived-At: <https://mailarchive.ietf.org/arch/msg/ietf/OUeFNaiSxldvGby0tSU7CrlaX3g>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 26 Oct 2020 04:51:50 -0000

   Howdy,

   Not all RFCs are the product of a working group so I think the 
section dealing
with "Expectations from the IETF" should address what the IETF feels it 
should do
wrt to RFCs published by the IETF that were not products of a working 
group. The
existing text seems to only address issues with RFCs that were the 
produce of a
(possibly closed) working group. This probably has an influence on 
Figure 1 too--
to be specific, before the decision of "4" there should be a decision on the
question of whether this is about an RFC that the IETF feels it needs to 
address.

   regards,

   Dan.

On 10/23/20 11:46 AM, Roman Danyliw wrote:
> Hi!
>
> The Internet Engineering Steering Group (IESG) is seeking community input on reporting protocol vulnerabilities to the IETF.  Specifically, the IESG is proposing guidance to be added to the website at [1] to raise awareness on how the IETF handles this information in the standards process.  The full text (which would be converted to a web page) is at:
>
> https://www.ietf.org/media/documents/Guidance_on_Reporting_Vulnerabilities_to_the_IETF_sqEX1Ly.pdf
>
> This text is intended to be written in an accessible style to help vulnerability researchers, who may not be familiar with the IETF, navigate existing processes to disclose and remediate these vulnerabilities.  With the exception of creating a last resort reporting email alias (protocol-vulnerability@ietf.org), this text is describing current practices in the IETF, albeit ones that may not be consistently applied.
>
> This guidance will serve as a complement to the recently written IETF LLC infrastructure and protocol vulnerability disclosure statement [2].
>
> The IESG appreciates any input from the community on the proposed text and will consider all input received by November 7, 2020.
>
> Regards,
> Roman
> (for the IESG)
>
> [1] This guidance text would be added to a new URL at https://www.ietf.org/standards/rfcs/vulnerabilities, and then referenced from www.ietf.org/contact, https://www.ietf.org/standards/process/, https://www.ietf.org/standards/rfcs/, and https://www.ietf.org/topics/security/
>
> [2] https://www.ietf.org/about/administration/policies-procedures/vulnerability-disclosure
>
>

-- 
"The object of life is not to be on the side of the majority, but to
escape finding oneself in the ranks of the insane." -- Marcus Aurelius