Skip to content
This repository has been archived by the owner on Dec 21, 2022. It is now read-only.

Latest commit

 

History

History
27 lines (14 loc) · 1.89 KB

README.md

File metadata and controls

27 lines (14 loc) · 1.89 KB

See: Thread on [email protected] mailing list

Call closed on November 10, 2020. Thank you for the community input.


To: [email protected]

Date: Fri, 23 October 2020 18:46 UTC

Subject: Call for Community Feedback: Guidance on Reporting Protocol Vulnerabilities

Hi!

The Internet Engineering Steering Group (IESG) is seeking community input on reporting protocol vulnerabilities to the IETF. Specifically, the IESG is proposing guidance to be added to the website at [1] to raise awareness on how the IETF handles this information in the standards process. The full text (which would be converted to a web page) is at:

https://www.ietf.org/media/documents/Guidance_on_Reporting_Vulnerabilities_to_the_IETF_sqEX1Ly.pdf

This text is intended to be written in an accessible style to help vulnerability researchers, who may not be familiar with the IETF, navigate existing processes to disclose and remediate these vulnerabilities. With the exception of creating a last resort reporting email alias ([email protected]), this text is describing current practices in the IETF, albeit ones that may not be consistently applied.

This guidance will serve as a complement to the recently written IETF LLC infrastructure and protocol vulnerability disclosure statement [2].

The IESG appreciates any input from the community on the proposed text and will consider all input received by November 7, 2020.

[1] This guidance text would be added to a new URL at https://www.ietf.org/standards/rfcs/vulnerabilities, and then referenced from www.ietf.org/contact, https://www.ietf.org/standards/process/, https://www.ietf.org/standards/rfcs/, and https://www.ietf.org/topics/security/

[2] https://www.ietf.org/about/administration/policies-procedures/vulnerability-disclosure