[sldev] Viewer security vulnerability disclosure group

[Henri Beauchamp]

On Tue, 23 Dec 2008 16:37:23 -0800, Rob Lanphier wrote:

> Hi folks,
> 
> When we had the vulnerability in the Second Life viewer back in October,
> we didn't have a great setup for communicating discreetly with people
> who are working on derived works to give them a warning that they'll
> need to publish an update to keep their users safe.
> 
> Since the viewer is totally secure now, I suppose this isn't a problem,
> no?  Hrmph, ok, I guess we should be a little more prepared next time.

Good idea, indeed...

> .../...
> Here's what I'd like from you all:
> 1.  A discussion about what group of people it's going to be acceptable
> to provide early access to vulnerability information.

Easy... Everyone listed in the "Alternate Viewers" section of the SL Wiki
(https://wiki.secondlife.com/wiki/Alternate_viewers) should receive early
warnings and security fixes.

> For example, is it reasonable for us to require non-disclosure agreements
> of everyone in the group? I suspect that we'll need to take this step,
> but if there's a really good reason that I'm not thinking of why we
> shouldn't do this,

It's not reasonnable if it forces involved people to reveal their true (RL)
identity and thus loose their anonimity... SL is very much an "adult game"
for many of us, where many kinky stuff (such as BDSM) is roleplayed thanks
to the (relative) anonimity Internet provides. Among the developpers
involved in the alternate viewers developmenent and/or compilation/
distribution, I know at least 4 of them (me included) who certainly prefer
to stay anonymous.

Beside, as pointed out earlier in this thread, a non-disclosure agreement
is hardly an efficient protection on Internet... It's easy to post 100%
anonymously on a blog or forum.

> I'd like to hear it.
> 2.  If you're interested in being in this group, send me an email
> indicating your interest, and why you feel you should be in this group.

As the developper of the Cool SL Viewer for Linux and its upstream for
the Windoze and MacOS X versions (which are both based of the very same
source code and patches I produce), I do feel I should be part of this
group.

Oh.... and Merry Christmas to everyone ! :-)

Henri.