Re: Call for Community Feedback: Guidance on Reporting Protocol Vulnerabilities

Eliot Lear <> Wed, 28 October 2020 20:22 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 738583A0A0B; Wed, 28 Oct 2020 13:22:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -9.6
X-Spam-Status: No, score=-9.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id zV7QaqEh4lDs; Wed, 28 Oct 2020 13:22:20 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 8414C3A0A13; Wed, 28 Oct 2020 13:22:19 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;;; l=6111; q=dns/txt; s=iport; t=1603916539; x=1605126139; h=from:message-id:mime-version:subject:date:in-reply-to:cc: to:references; bh=vVDwzYNIRWtp9BIA75XQecPopzZRtoHcdJv31mGcWo8=; b=AG0iMq8O7ukcQIKcIGmBOzFvsNuN/HxX61SVdBP6EjaY1y4mLp3JufuD NJyndhFlztaMREvkhKCJxDifboaZO4E0moPC1CB/skUCD5qhz4lPLwXVQ raxqDe8OcFrW5YBJFw+QLVk9WO50cLTpH9BTj4CL9Dqj1PXkSfBKxIGcq c=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0CgBQDS0Zlf/xbLJq1gHgEBCxIMggQ?= =?us-ascii?q?LgSOCTAEgEoRqiQWHaCaUC4YxgWkLAQEBDQEBLwQBAYRKAoIGJjcGDgIDAQE?= =?us-ascii?q?LAQEFAQEBAgEGBG2FbYVzAQQBHQZWEAtCAgJXBieDEoJdIK03doEyhVeFCoE?= =?us-ascii?q?4jVSCAIE4DBCCTT6ECAESAYM4M4IsBLYRgXyCdYMYl2gDH5JFjxuwHYNfAgQ?= =?us-ascii?q?GBQIVgWokZ3AzGggbFWUBgj89EhkNhj+WKkADaAIGAQkBAQMJjkgBAQ?=
X-IronPort-AV: E=Sophos; i="5.77,427,1596499200"; d="scan'208,217"; a="30706500"
Received: from (HELO ([]) by with ESMTP/TLS/DHE-RSA-SEED-SHA; 28 Oct 2020 20:22:15 +0000
Received: from [] ([]) by (8.15.2/8.15.2) with ESMTPS id 09SKMEJt015024 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Wed, 28 Oct 2020 20:22:14 GMT
From: Eliot Lear <>
Message-Id: <>
Content-Type: multipart/alternative; boundary="Apple-Mail=_77B19167-CF7B-4273-AE48-9E95ED4062A4"
Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.\))
Subject: Re: Call for Community Feedback: Guidance on Reporting Protocol Vulnerabilities
Date: Wed, 28 Oct 2020 21:22:14 +0100
In-Reply-To: <>
Cc: Roman Danyliw <>, The IETF List <>
To: Jay Daley <>
References: <> <> <> <> <> <> <>
X-Mailer: Apple Mail (2.3608.
X-Outbound-SMTP-Client:, []
Archived-At: <>
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF-Discussion <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 28 Oct 2020 20:22:21 -0000

Hi Jay

> To unpick this we need to consider the perspective of potential reporters and their different motivations:
> 1.  People who already know the IETF will already know that they can contact the appropriate WG and/or authors and so don’t need to be told that.  If they don’t have a problem with that then there’s nothing to be done, but if they believe that this approach will not work then an alternate mechanism is needed.  The text above suggests that this is not an alternative mechanism, simply an issue routing support mechanism, and so is unlikely to address that need.

Our people have no need of any of this.  They understand our processes, and know how to maneuver them.  This document doesn’t really address them.

> 2.  In my experience, vulnerability reporters who do not know the organisation they are reporting to want to know that the organisation commits to seriously consider the result, and want a simple, centralised mechanism for reporting.  People who do not know the IETF will struggle to find the appropriate WG and/or authors and so hopefully skip to the single email address, but the positioning of that has no suggestion of either commitment or seriousness and so I don’t think that meets their needs either.

Yes, they will struggle to find the appropriate working group.  As to positioning...

> To be clear, when I say "commitment" I don’t mean "I commit to fix this problem" but "I commit to ensure this problem is put before the right people and given proper consideration".

… PRs welcome ;-).