[Development] Proposal: Change Qt's Security Policy to Full Disclosure

[Lincoln Ramsay]

On 24/10/12 07:01, d3fault wrote:
> If you discover a vulnerability, please report it to
> security at qt-project.org and we'll take care of the rest. You can of
> course join in on the discussion and suggest fixes etc, as Qt is a
> COLLABORATIVE PROJECT.
>
> If you think the vulnerability would cause harm being publicly
> disclosed, you can instead send it to security-private at qt-project.org
> --- but remember... just who are those people with access to that
> list, and can you trust them to not un/intentionally leak your
> vulnerability?

As has already been pointed out, you're confusing things by choosing to 
assign different names to things. We already have a public and a private 
list. We're not renaming things or creating new lists just to match the 
names you think we should have.

If you want to report an issue to the Qt project so that the whole world 
knows about it too, use development at qt-project.org.

If you want to report an issue to the Qt project but you think the world 
perhaps shouldn't know about it yet, use security at qt-project.org. When 
the people on that list think the world should know about the issue, 
they'll let development at qt-project.org know.

If you don't like that other people choose to let the Qt project know of 
a security issue without informing you at the same time... you'll have 
to take that up with those people because they would use 
security-private@ over security@ if those were the names we had.

-- 
Link