[sldev] Viewer security vulnerability disclosure group

[Tateru Nino]

Such a list is certainly relatively common practice, and with good reasons.

However, insofar as the NDAs go. No contract on earth will compel a
party to do something that they don't intend to do in the first place.
All an NDA does is basically give you the right to sue for damages in
the event that someone leaks it.

I don't think many people capable of *meeting* such damages are likely
to be on the list. Essentially, it's a threat - albeit a polite one -
and does not seem to serve Linden Lab's interest. Either you trust the
people you're putting on the list, or you don't - and if you don't,
don't add them to the list.

NDAs aren't going to make the disclosures any more secure than without.
If someone's going to leak the disclosures, they're going to do it
anyway. The SL-Views NDAs hardly held much water -- they leaked like a
sieve (I should know. Some of my private information was discussed at an
SL-Views session and then leaked to a certain well-known blogger)

Just my two bits, as a third-party (who has done this before).

Rob Lanphier wrote:
> Hi folks,
>
> When we had the vulnerability in the Second Life viewer back in October,
> we didn't have a great setup for communicating discreetly with people
> who are working on derived works to give them a warning that they'll
> need to publish an update to keep their users safe.
>
> Since the viewer is totally secure now, I suppose this isn't a problem,
> no?  Hrmph, ok, I guess we should be a little more prepared next time.
>
> I did some fishing around for how other folks handle this.  Here's info
> on Mozilla's Security Group, which seems most analogous.
> http://www.mozilla.org/projects/security/membership-policy.html
>
> And here's the  "Announcing Security Vulnerabilities" section from Karl
> Fogel's book "Producing Open Source Software":
> http://producingoss.com/en/publicity.html#security
>
> Here's what I'd like from you all:
> 1.  A discussion about what group of people it's going to be acceptable
> to provide early access to vulnerability information.  For example, is
> it reasonable for us to require non-disclosure agreements of everyone in
> the group?  I suspect that we'll need to take this step, but if there's
> a really good reason that I'm not thinking of why we shouldn't do this,
> I'd like to hear it.
> 2.  If you're interested in being in this group, send me an email
> indicating your interest, and why you feel you should be in this group.
>
> With any luck, we'll have a group in place before we need have a
> vulnerability to disclose.
>
> Rob
>
> _______________________________________________
> Policies and (un)subscribe information available here:
> http://wiki.secondlife.com/wiki/SLDev
> Please read the policies before posting to keep unmoderated posting privileges
>
>