Group Proposal, for discussion: Vulnerability Group
Martijn Verburg
martijnverburg at gmail.com
Thu Aug 24 17:33:41 UTC 2017
Hi Mark,
Totally applaud this idea! I have some suggested wording changes that
might be easiest to suggest as a diff or some sort of track changes on the
original text. Do you have a preferred mechanism for that type of feedback?
Cheers,
Martijn
On 24 August 2017 at 16:49, <mark.reinhold at oracle.com> wrote:
> (This is not a call for votes; it is just a call for discussion.)
>
> The Governing Board has been discussing the creation of a Vulnerability
> Group for a while now. This new Group is intended to be a secure,
> private forum in which trusted members of the OpenJDK Community can
> receive reports of vulnerabilities in OpenJDK code bases, review them,
> collaborate on fixing them, and coordinate the release of such fixes.
>
> This Group will be unusual in several respects, due to the sensitive
> nature of its work: Membership will be more selective, there will be a
> strict communication policy, and members (or their employers) will need
> to sign a non-disclosure and license agreement. These requirements do,
> strictly speaking, violate the OpenJDK Bylaws. The Governing Board has
> discussed this, however, and I expect that the Board will approve the
> creation of this Group with these exceptional requirements.
>
> I've posted a detailed proposal for the Vulnerability Group here:
>
> http://cr.openjdk.java.net/~mr/ojvg/
>
> That document contains a link to a draft of the non-disclosure and
> license agreement.
>
> The initial Lead of the Vulnerability Group will be Andrew Gross, who
> leads Oracle's internal Java Vulnerability Team.
>
> Comments?
>
> - Mark
>
More information about the discuss
mailing list