Group Proposal, for further discussion: Vulnerability Group

John Coomes jcoomes at
Wed Feb 21 06:04:16 UTC 2018

> On January 31, 2018 at 8:44 AM mark.reinhold at wrote:
> (This is not a call for votes; it is just a call for discussion.)
> To follow up on my initial call for discussion last August [1], I've
> posted a revised proposal for the Vulnerability Group together with
> the final version of the non-disclosure and license agreement, and
> diffs of the final version with respect to the first version:
> ...

Hi Mark,

I've read the NDLA and definitely struggled with the legalese.  While our
lawyers are reading it, I was hoping to get some clarification on the
intent of the Group with regard to sharing information.  I'm not asking you
for a legal opinion, but for your opinion as an engineer on the expected
operation of the Group.

The most efficient way of developing, testing, and sharing vulnerability
fixes is via a shared repository (at least IMHO).  Obviously, any such
repository would have to have access restrictions in place so that until
the fixes were otherwise publicly disclosed, only Vulnerability Group
Members would have access to the repo.  The NDLA seems overly focused on
the mailing list as a means of sharing information among Members, as that
is the only means mentioned.

First, is it the intent of the Group to allow sharing of vulnerability
fixes ("Confidential Information" is the term used in the NDLA) among
Members via means other than the mailing list?  Second, more specifically,
would a repository shared exclusively among Members be an acceptable means
of sharing vulnerability fixes?

If the answer to either of the above is yes, it would be helpful to amend
the NDLA to make that clear.

If the answer to either of the above is no, the obvious follow-on question
is:  Why not?

Again, I'm asking for an opinion on the expected operation of the Group,
not a legal opinion on the NDLA.  Once the intent is clear, it should make
it easier for the attorneys to analyze the language in the NDLA to verify
it matches the intent.


More information about the discuss mailing list