Re: Call for Community Feedback: Guidance on Reporting Protocol Vulnerabilities

Loganaden Velvindron <> Mon, 26 October 2020 19:58 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 592BE3A0E91 for <>; Mon, 26 Oct 2020 12:58:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id G4lVyK5WKI-g for <>; Mon, 26 Oct 2020 12:58:46 -0700 (PDT)
Received: from ( [IPv6:2607:f8b0:4864:20::82b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id EEAC53A0E83 for <>; Mon, 26 Oct 2020 12:58:45 -0700 (PDT)
Received: by with SMTP id h12so2618574qtc.9 for <>; Mon, 26 Oct 2020 12:58:45 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=2/MoJzKsVGsEX5jb9ExnWdtwrGdtlSN+RGUrf3nh2IE=; b=Id0OPhZlxBsCK4NLSFQknL8sOpZBCqlJDb52mwZMPfEeJan3LAPMFXiyHui022HLvb 0BbYaV3cc91qcv6qJZquh7KbIyl+fEZ3i9tzgG4/6QP1ZOricn/nTqlzMSx0fGeQF0d8 Y1I/iG/ekPKlM6bAvfpYyd23OvwTL2Yzr8DyB711zh5x8COJcVzwMFxnvlefjtR4Cw1x aR8XOnEiT+w1GjuvP23clvFyTRdjxjo6xMXwoBT2Rs2pcwNcy1N5cHtGt0C8Qccc0Tk9 yB5QgiKbmr3jmPO2xt14HcTXcZVWohA1UoYr3Bz2Gkq11L56wPFWuTigQaz7EXvg8me+ NMKA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=2/MoJzKsVGsEX5jb9ExnWdtwrGdtlSN+RGUrf3nh2IE=; b=k5a5WiC2EeDBZfvnhrdSITzmq1bZVq7CmkH1VzPcucMoZMPrLnC954kPBuJ/LOtz8n oWC7XmuV1HCQyrAg/WkT/sr7jprP0VwbcC+C34B02WDsDkmZ22W8rggm3SnPd0dfYp9U IpIApfZHziHyVBGopa41wr9MkD2HfRy0lspMWG9xXlFEUlcEfDX3GrLF2/nzVYXkLfTG LVJfqLkgM8hJsKm//q+FSvnHBS3MRtgwxGDqBjME4VqScbxtujulXJ6WV5OTIkRgsxRn yYCw4cuq4775lHYCnrnarV91p8aD4jw2PEAsBsXkBMflW57b4xEVOmZpD7fYk1d9+SjC l5dQ==
X-Gm-Message-State: AOAM5339xK8NDX7YRNwrO9rqN6RsjBuPO9tFJSDfIXWfUvkB4JDhGMTc R8i+2U9OLZyK7W9eVzjl0Fx5AJviEpc6BK1Jcgg=
X-Google-Smtp-Source: ABdhPJyh+Cd+upic2o1DH56mp3E6yYnxXFlDtHD7mk8GPhJkcDT6egnuAlTw3epmI8stpL3yQ8cg9XFYPYYCaG/+4Nc=
X-Received: by 2002:ac8:5743:: with SMTP id 3mr20010660qtx.259.1603742324930; Mon, 26 Oct 2020 12:58:44 -0700 (PDT)
MIME-Version: 1.0
References: <>
In-Reply-To: <>
From: Loganaden Velvindron <>
Date: Mon, 26 Oct 2020 23:58:33 +0400
Message-ID: <>
Subject: Re: Call for Community Feedback: Guidance on Reporting Protocol Vulnerabilities
To: Roman Danyliw <>
Cc: "" <>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <>
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF-Discussion <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 26 Oct 2020 19:58:47 -0000

On Fri, Oct 23, 2020 at 10:47 PM Roman Danyliw <> wrote:
> Hi!
> The Internet Engineering Steering Group (IESG) is seeking community input on reporting protocol vulnerabilities to the IETF.  Specifically, the IESG is proposing guidance to be added to the website at [1] to raise awareness on how the IETF handles this information in the standards process.  The full text (which would be converted to a web page) is at:
> This text is intended to be written in an accessible style to help vulnerability researchers, who may not be familiar with the IETF, navigate existing processes to disclose and remediate these vulnerabilities.  With the exception of creating a last resort reporting email alias (, this text is describing current practices in the IETF, albeit ones that may not be consistently applied.

I've spoken to a few security researchers and asked why they aren't
willing to talk to the IETF. From their reply, it seems that they see
the IETF as being "complicated". I welcome the document as it's a step
forward in the right direction.

 There have been cases where security researchers feel that the
organizations are taking too long and then they decide to publish full
details including Proof of Concept. I think that the document should
encourage researchers to wait before releasing full PoC until the
proper errata has been published.

> This guidance will serve as a complement to the recently written IETF LLC infrastructure and protocol vulnerability disclosure statement [2].
> The IESG appreciates any input from the community on the proposed text and will consider all input received by November 7, 2020.
> Regards,
> Roman
> (for the IESG)
> [1] This guidance text would be added to a new URL at, and then referenced from,,, and
> [2]