Thanks for forwarding, Joakim. I'm happy to say this seems aligned with my proposed TF disclosure policy (e.g. encourage a high quality fix ASAP but disclose after 90 days).

 

Regarding the status of the TF disclosure policy, I'm still making changes to this in the light of new information, e.g.

* The disclosure timeline is largely controlled by the reporter so we need some acknowledgement of that.

* In some cases it may not be possible to release a fix to a restricted audience for export control reasons. Although the incident can be discussed among a restricted audience, the fix may have to be issued publicly.

 

I can elaborate on this at the next TSC if needed.

 

Regards


Dan.

 

From: TSC <tsc-bounces@lists.trustedfirmware.org> On Behalf Of Joakim Bech via TSC
Sent: 07 January 2020 17:44
To: tsc@lists.trustedfirmware.org
Subject: [TF-TSC] Project Zero disclosure policy updates

 

Hi,

 

I thought this was interesting enough to share it with you guys, especially since we've had this up for discussion a couple of times.

 

https://googleprojectzero.blogspot.com/2020/01/policy-and-disclosure-2020-edition.html  

 

Regards,

Joakim

IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you. IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.