RE: Call for Community Feedback: Guidance on Reporting Protocol Vulnerabilities

Roman Danyliw <> Wed, 28 October 2020 14:54 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 58D443A0A84 for <>; Wed, 28 Oct 2020 07:54:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 4k6JcX9kKHLl for <>; Wed, 28 Oct 2020 07:54:17 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id C6A903A0A83 for <>; Wed, 28 Oct 2020 07:53:39 -0700 (PDT)
Received: from ( []) by (8.14.7/8.14.7) with ESMTP id 09SErako001564; Wed, 28 Oct 2020 10:53:36 -0400
DKIM-Filter: OpenDKIM Filter v2.11.0 09SErako001564
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=yc2bmwvrj62m; t=1603896816; bh=cR1Ydnw3mtLROLgUrGLYnjFSfY84UxR8k9/AcWBlig0=; h=From:To:CC:Subject:Date:References:In-Reply-To:From; b=Y0b1vm1j/i7BGvtnHArGSf6zjMvZFt2H8SncmJS6qledRgrdw7Qv84bQdiHRxEYoj yDuD7XhnBSsSSJK3OXoR6H917OtNA05bdgKaJEY1dVAjAMAbA9vszMzlclXDHRnLkx rIMSzXUmbSxRRV2RSs/4RLCDVGgs2N70J2AscGRs=
Received: from ( []) by (8.14.7/8.14.7) with ESMTP id 09SErVlA017325; Wed, 28 Oct 2020 10:53:31 -0400
Received: from ( by ( with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2106.2; Wed, 28 Oct 2020 10:53:31 -0400
Received: from ([fe80::555b:9498:552e:d1bb]) by ([fe80::555b:9498:552e:d1bb%13]) with mapi id 15.01.2106.002; Wed, 28 Oct 2020 10:53:31 -0400
From: Roman Danyliw <>
To: Eliot Lear <>
CC: The IETF List <>
Subject: RE: Call for Community Feedback: Guidance on Reporting Protocol Vulnerabilities
Thread-Topic: Call for Community Feedback: Guidance on Reporting Protocol Vulnerabilities
Thread-Index: Adapa+D5Cfcs8r0xT9Wg091feiESVgCMHiYAABWiuxAAIoqtAAABE40AAC191IAAAGB+8A==
Date: Wed, 28 Oct 2020 14:53:30 +0000
Message-ID: <>
References: <> <> <> <> <> <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
x-originating-ip: []
Content-Type: multipart/alternative; boundary="_000_0112bba51cd441d786287b3fb74c3ab0certorg_"
MIME-Version: 1.0
Archived-At: <>
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF-Discussion <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 28 Oct 2020 14:54:19 -0000

Hi Eliot!

From: Eliot Lear <>
Sent: Wednesday, October 28, 2020 6:34 AM
To: Roman Danyliw <>
Cc: The IETF List <>
Subject: Re: Call for Community Feedback: Guidance on Reporting Protocol Vulnerabilities

Hi Roman,

On 27 Oct 2020, at 20:06, Roman Danyliw <<>> wrote:

Hi Eliot!

[Roman] In my view, the proposed text effectively says “this is the IETF process and as a last resort, please use the catch all alias”.  My read of your tighter text is the opposite, “here is a new reporting  alias, consider also getting involved in the IETF processes”.  Put in another way, we are actively steering away from established processes (e.g., using the mailing lists) and preferring the triage alias as the first step.  With the reduced text, we are not longer explaining “all the usual processes”.

Ok, Here’s a slightly tweaked version of that text to address how you read the doc:

If you believe you’ve discovered a protocol vulnerability, we very much welcome your contribution.
You are also invited to take your findings to any open IETF working group or mailing list that you believe would be appropriate, in order to discuss protocol improvements to address any vulnerabilities.  If you do not know which IETF working group or mailing list to use or otherwise need help with our processes, we invite you to email “<>” as well as the document authors, and we will assist you.  All of our work is public, and therefore, disclosing to a working group or mailing list is public.  In some cases, we may ask you to file an erratum, and we will be happy to guide you through that process.

Again, fewer words are better.  And again, adding a few sentences about expectations is just fine.  This should make clear that the mailing list is intended to provide assistance, not triage, and it is entirely optional.

Does that make it clearer that we’re not gate keeping?

[Roman] Indeed it does.  I’d recommend a bit more wordsmithing based on the other feedback provided on payment and inclusion, but the substance is there for me.  Let me get the text into github so edits are easier to manage.

[Roman] To check that we’re on the same page, I see a future version of text like this as the up-front summary.  I believe we still need the existing detailed text to describe the detail process by which to engage the IETF (alluded to in this style of summary).  Agreed?