[sldev] Viewer security vulnerability disclosure group

[Rob Lanphier]

Hi folks,

When we had the vulnerability in the Second Life viewer back in October,
we didn't have a great setup for communicating discreetly with people
who are working on derived works to give them a warning that they'll
need to publish an update to keep their users safe.

Since the viewer is totally secure now, I suppose this isn't a problem,
no?  Hrmph, ok, I guess we should be a little more prepared next time.

I did some fishing around for how other folks handle this.  Here's info
on Mozilla's Security Group, which seems most analogous.
http://www.mozilla.org/projects/security/membership-policy.html

And here's the  "Announcing Security Vulnerabilities" section from Karl
Fogel's book "Producing Open Source Software":
http://producingoss.com/en/publicity.html#security

Here's what I'd like from you all:
1.  A discussion about what group of people it's going to be acceptable
to provide early access to vulnerability information.  For example, is
it reasonable for us to require non-disclosure agreements of everyone in
the group?  I suspect that we'll need to take this step, but if there's
a really good reason that I'm not thinking of why we shouldn't do this,
I'd like to hear it.
2.  If you're interested in being in this group, send me an email
indicating your interest, and why you feel you should be in this group.

With any luck, we'll have a group in place before we need have a
vulnerability to disclose.

Rob