Re: Bounty: Consultation on DRAFT Infrastructure and Services Vulnerability Disclosure Statement
John Levine <johnl@taugh.com> Thu, 06 August 2020 18:56 UTC
Return-Path: <johnl@iecc.com>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 88A853A0E00 for <ietf@ietfa.amsl.com>; Thu, 6 Aug 2020 11:56:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=iecc.com header.b=cn6IR2Fk; dkim=pass (2048-bit key) header.d=taugh.com header.b=axElhyAy
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LOT3nm0vJkS2 for <ietf@ietfa.amsl.com>; Thu, 6 Aug 2020 11:56:37 -0700 (PDT)
Received: from gal.iecc.com (gal.iecc.com [IPv6:2001:470:1f07:1126:0:43:6f73:7461]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1181E3A0DFF for <ietf@ietf.org>; Thu, 6 Aug 2020 11:56:36 -0700 (PDT)
Received: (qmail 7375 invoked from network); 6 Aug 2020 18:56:35 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=iecc.com; h=date:message-id:from:to:cc:subject:in-reply-to:mime-version:content-type:content-transfer-encoding; s=1ccd.5f2c5263.k2008; bh=6ysJGlIzaqgA8upC884SyPBFQtvx8D/Nr6i5VMBx4Rg=; b=cn6IR2FkWmw0922WZ2lfDQ6YGtf07u4fQAhgkNZ18pANcMAAo74Arqe9jHaolG5qiaIOHoQTBmtayzncZEDC30msDhOBdn07X8Tuoq4lzFourwHQ9atrr94dgWF4L1S4a1MbHANFcqNWYk+3vJ5oKF8Ut0+bhuxGIMvXKHUYpuOU3olitgE2G56kFkbw+N1DYIAAFZY6faDwf2ESSyhbO2EGHjEXQR7hmRK7enCuTDsygsC7l+kzTpEAgQ/diBkK8kbn1TnEqQaCZrkJooxGtGTMEDW/xSO/NEpY6zu8mnEgQtSoeRIV4+GJS6SN1q+sqPCP1c+MrRsdSRN+SCZLNQ==
DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=taugh.com; h=date:message-id:from:to:cc:subject:in-reply-to:mime-version:content-type:content-transfer-encoding; s=1ccd.5f2c5263.k2008; bh=6ysJGlIzaqgA8upC884SyPBFQtvx8D/Nr6i5VMBx4Rg=; b=axElhyAy9Qp7gyJKXCFAxh7vBeYUpX7rL0yQY6HaP2YTK51XxE3X7yYzVz7+ToxofbxXaM8ZFbiRXfxoq5eUoiuqUKJ8xsRgWWE6dPFmI5AmY67lGtdbYVqM2bzHw8GBc8RCf0gfsBg5l0WrZUSLngwooLHnhdyxL4NXqEDnkdDFEla7KYFyUX2CT3ZPWzVCgjyZ3QbKFxXkPLplJq3MvkKGUuGhY34H8I2ntkeeygJdw89sF5m8KuPGj6hMjFV9eJILWuHfqn46SJrhWtdYzbR+lhTRwd1kQDy9MXbac1yArkzOyODMflETZUwtCXm8QAasfL7TybpZFTvVAunY2w==
Received: from ary.qy ([IPv6:2001:470:1f07:1126::78:696d:6170]) by imap.iecc.com ([IPv6:2001:470:1f07:1126::78:696d:6170]) with ESMTPS (TLS1.2 ECDHE-RSA AES-256-GCM AEAD) via TCP6; 06 Aug 2020 18:56:34 -0000
Received: by ary.qy (Postfix, from userid 501) id BA7581E1C1CC; Thu, 6 Aug 2020 14:56:33 -0400 (EDT)
Date: Thu, 06 Aug 2020 14:56:33 -0400
Message-Id: <20200806185633.BA7581E1C1CC@ary.qy>
From: John Levine <johnl@taugh.com>
To: ietf@ietf.org
Subject: Re: Bounty: Consultation on DRAFT Infrastructure and Services Vulnerability Disclosure Statement
In-Reply-To: <C20C9BA2-549D-4326-B77E-D8E6A2DE7511@akamai.com>
Organization: Taughannock Networks
X-Headerized: yes
Mime-Version: 1.0
Content-type: text/plain; charset="utf-8"
Content-transfer-encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/ietf/aEltyaerK0B93WUVlvkVb7eivdI>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 06 Aug 2020 18:56:39 -0000
In article <C20C9BA2-549D-4326-B77E-D8E6A2DE7511@akamai.com> you write: > > * Whether or not this statement should be supplemented with a "bug bounty" program. > >In my experience (several years running openssl.org), bug bounties for websites are not worthwhile. Agreed. They can be counterproductive and lead to silly situations of "I won't tell you unless you pay me first because I don't trust you to pay later." R's, John
- Re: Bounty: Consultation on DRAFT Infrastructure … Livingood, Jason
- Re: Bounty: Consultation on DRAFT Infrastructure … Salz, Rich
- Re: Bounty: Consultation on DRAFT Infrastructure … John Levine
- Re: Bounty: Consultation on DRAFT Infrastructure … Rob Sayre
- Re: Bounty: Consultation on DRAFT Infrastructure … Livingood, Jason
- Re: Bounty: Consultation on DRAFT Infrastructure … Rob Sayre
- Re: Bounty: Consultation on DRAFT Infrastructure … Salz, Rich
- Re: Bounty: Consultation on DRAFT Infrastructure … Rob Sayre
- Re: Bounty: Consultation on DRAFT Infrastructure … Salz, Rich
- Re: Bounty: Consultation on DRAFT Infrastructure … Salz, Rich
- Re: Bounty: Consultation on DRAFT Infrastructure … Rob Sayre
- Re: Bounty: Consultation on DRAFT Infrastructure … Jay Daley
- Re: Bounty: Consultation on DRAFT Infrastructure … Rob Sayre
- Re: Bounty: Consultation on DRAFT Infrastructure … Bron Gondwana
- Re: Bounty: Consultation on DRAFT Infrastructure … Rich Kulawiec