From 4ed8f9166a1f2e62173738860d4b3ba2aac08295 Mon Sep 17 00:00:00 2001 From: Chris de Almeida Date: Wed, 8 Nov 2023 12:10:01 -0600 Subject: [PATCH] CBE -> CVE --- meetings/2023-09/september-26.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/meetings/2023-09/september-26.md b/meetings/2023-09/september-26.md index 66b2ee27..55ff89aa 100644 --- a/meetings/2023-09/september-26.md +++ b/meetings/2023-09/september-26.md @@ -177,7 +177,7 @@ SYG: Okay, so concrete question, suppose somebody is reporting, let me try the p MF: The latter thing. When reports are mistakenly given through this process and they are engine specific, we want them to be redirected either through themselves being redirected when reading this process or if they still send it to us, getting back to them, or going through the security focals making sure it goes to the right place. When it is a language vulnerability, when we have suspicion that it is language vulnerability, which we have not defined what it is, it will be addressed in the group and expanded as necessary to include everybody who needs to be involved. -SYG: In terms of consensus, in asking for consensus, I have no concerns with kind of redirecting to the right project where necessary. I’m not clear on what the actionable thing is when we, for reports in the second bucket that does not fall into any particular projects purview. I guess if the consensus you’re asking for is, you should take that input and then discuss it, I have no concern, but I’m a little bit uncomfortable labeling such things as vulnerabilities if it doesn’t rise to the level of a particular software shipping a fix to do something. Like, if it’s just, we accepted a report, I’m not sure that gives the same messaging as a CBE would. +SYG: In terms of consensus, in asking for consensus, I have no concerns with kind of redirecting to the right project where necessary. I’m not clear on what the actionable thing is when we, for reports in the second bucket that does not fall into any particular projects purview. I guess if the consensus you’re asking for is, you should take that input and then discuss it, I have no concern, but I’m a little bit uncomfortable labeling such things as vulnerabilities if it doesn’t rise to the level of a particular software shipping a fix to do something. Like, if it’s just, we accepted a report, I’m not sure that gives the same messaging as a CVE would. MF: In the interim, between setting up this initial policy and actually defining our desired security properties, it is going to be more of an I-know-it-when-I-see-it kind of thing. Later hopefully we will have more well defined security properties and we will be able to clearly determine whether or not it is a violation of any of these security properties we try to hold.