[Development] Proposal: Change Qt's Security Policy to Full Disclosure

d3fault d3faultdotxbe at gmail.com
Wed Oct 24 01:12:33 CEST 2012


On 10/23/12, Lincoln Ramsay <a1291762 at gmail.com> wrote:
> We're not renaming things or creating new lists just to match the
> names you think we should have.
>

*sigh*, I had a feeling someone would say something like that.

The changes are trivial at a glance, yes....
...but what the Qt Project officially endorses/recommends is the real
change here.

Right now, the Qt Project instructs analysts use
security-through-obscurity when reporting vulnerabilities.

"If you find [...] a security issue, contact us at security at qt-project.org
so we can deal with it" (
http://lists.qt-project.org/pipermail/development/2012-October/006893.html
).

You could change that /security/index.html suggestion to recommend the
development list for public and keep security@ for the private list,
that makes no difference. Semantics. As an aside, I think it would be
better for security to go in it's own list... but that's just an
organizational decision.

List names are not very important at all, whereas the policy on "where
to report vulns" is extremely important.

d3fault



More information about the Development mailing list