Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

...

Zero Day Response Model

  1. Cleaning up and automating the build and publishing process to enable releases to be cut quickly by whoever is available.
  2. No "grace periods" or "private discussions"; publicly discuss asap.
  3. Ideally set up a conference call to initiate discussion on how to resolve the issue and to assign responsibilities.
  4. Set up a secure communication channel for security advisories and notifications.  Perhaps update a public websites.

Current process:

    1. Don't open JIRA Issues
    2. Don't open pull requests; do a direct commit
    3. Cut the security releases including release notes.
    4. Community Notification
    5. After announcement, create JIRA's.
    6. Three possibilities: 
      1. No grace period - Everyone knows before people can patch + poeople  who follow many projects on bugtraq know right away
      2. 15 business day grace period - People watching bugtraq will be unhappy with what looks sloppy reporting + Lets adopters try to patch first
      3. short grace period  - People don't really have time to benifit.
    7. Public disclosure: bugtraq

...