[sldev] Viewer security vulnerability disclosure group

Jacek Antonelli jacek.antonelli at gmail.com
Wed Dec 24 14:13:18 PST 2008


On Tue, Dec 23, 2008 at 6:37 PM, Rob Lanphier <robla at lindenlab.com> wrote:
> For example, is
> it reasonable for us to require non-disclosure agreements of everyone in
> the group?  I suspect that we'll need to take this step, but if there's
> a really good reason that I'm not thinking of why we shouldn't do this,
> I'd like to hear it.
> 2.  If you're interested in being in this group, send me an email
> indicating your interest, and why you feel you should be in this group.

I'd certainly be up for hearing about security vulnerabilities ahead
of time, since it generally takes us a few days to prepare a new
release. However, an NDA would be a total no-go.

We have three different people involved in compiling and packaging our
viewer (one for Linux, Mac, Windows each), and requiring volunteers to
sign an NDA just to help us compile would be an unreasonable
imposition.

I _might_ be willing to sign an NDA myself so I could at least prepare
the source ahead of time. But if the NDA restricted distribution of
the fixed sourcecode, we wouldn't be able to make use of the head
start anyway, since the other packagers wouldn't be allowed access to
the updated source until after the vulnerability was made public.

We could respond just as quickly, and without having to sign anything,
by just waiting for the public announcement and source drop.

- Jacek


More information about the SLDev mailing list