[prev in list] [next in list] [prev in thread] [next in thread] 

List:       openjdk-discuss
Subject:    Re: Group Proposal, for discussion: Vulnerability Group
From:       Weijun Wang <weijun.wang () oracle ! com>
Date:       2017-08-25 2:08:56
Message-ID: 10388A27-82AF-401F-ADB9-BAFA7776DBA3 () oracle ! com
[Download RAW message or body]

Suppose I am a "recognized" export in Area A, and Bob is one in Area B. We both have \
been handling security issues before. Does this mean we would be both included in the \
group and I can read all discussions in Area B?

Also, what is the proper way to temporarily include someone when working on a \
specific bug? For example, a test engineer, a 3rd-party expert (Ex: a bug only on \
Windows and we work with someone in Microsoft) or a customer. Since \
vuln-dev@openjdk.java.net is not opened to them I assume I cannot CC one while \
writing to this list. Do I just talk to him/her one-to-one?

Thanks
Max

> On Aug 24, 2017, at 11:49 PM, mark.reinhold@oracle.com wrote:
> 
> (This is not a call for votes; it is just a call for discussion.)
> 
> The Governing Board has been discussing the creation of a Vulnerability
> Group for a while now.  This new Group is intended to be a secure,
> private forum in which trusted members of the OpenJDK Community can
> receive reports of vulnerabilities in OpenJDK code bases, review them,
> collaborate on fixing them, and coordinate the release of such fixes.
> 
> This Group will be unusual in several respects, due to the sensitive
> nature of its work: Membership will be more selective, there will be a
> strict communication policy, and members (or their employers) will need
> to sign a non-disclosure and license agreement.  These requirements do,
> strictly speaking, violate the OpenJDK Bylaws.  The Governing Board has
> discussed this, however, and I expect that the Board will approve the
> creation of this Group with these exceptional requirements.
> 
> I've posted a detailed proposal for the Vulnerability Group here:
> 
> http://cr.openjdk.java.net/~mr/ojvg/
> 
> That document contains a link to a draft of the non-disclosure and
> license agreement.
> 
> The initial Lead of the Vulnerability Group will be Andrew Gross, who
> leads Oracle's internal Java Vulnerability Team.
> 
> Comments?
> 
> - Mark


[prev in list] [next in list] [prev in thread] [next in thread]