[Development] Proposal: Change Qt's Security Policy to Full Disclosure
a1291762 at gmail.com
Wed Oct 24 00:40:56 CEST 2012
On 24/10/12 07:01, d3fault wrote:
> If you discover a vulnerability, please report it to
> security at qt-project.org and we'll take care of the rest. You can of
> course join in on the discussion and suggest fixes etc, as Qt is a
> COLLABORATIVE PROJECT.
> If you think the vulnerability would cause harm being publicly
> disclosed, you can instead send it to security-private at qt-project.org
> --- but remember... just who are those people with access to that
> list, and can you trust them to not un/intentionally leak your
As has already been pointed out, you're confusing things by choosing to
assign different names to things. We already have a public and a private
list. We're not renaming things or creating new lists just to match the
names you think we should have.
If you want to report an issue to the Qt project so that the whole world
knows about it too, use development at qt-project.org.
If you want to report an issue to the Qt project but you think the world
perhaps shouldn't know about it yet, use security at qt-project.org. When
the people on that list think the world should know about the issue,
they'll let development at qt-project.org know.
If you don't like that other people choose to let the Qt project know of
a security issue without informing you at the same time... you'll have
to take that up with those people because they would use
security-private@ over security@ if those were the names we had.
More information about the Development