Group Proposal, for further discussion: Vulnerability Group

mark.reinhold at oracle.com mark.reinhold at oracle.com
Mon Feb 26 17:37:45 UTC 2018 

2018/2/20 22:04:16 -0800, John Coomes <jcoomes at twitter.com>:
> ...
> 
> The most efficient way of developing, testing, and sharing vulnerability
> fixes is via a shared repository (at least IMHO).  Obviously, any such
> repository would have to have access restrictions in place so that until
> the fixes were otherwise publicly disclosed, only Vulnerability Group
> Members would have access to the repo.  The NDLA seems overly focused on
> the mailing list as a means of sharing information among Members, as that
> is the only means mentioned.

I will not comment here upon the NDLA, nor upon interpretations of it.
Anything I write here is intended only to clarify what I wrote in the
proposal [1].

> First, is it the intent of the Group to allow sharing of vulnerability
> fixes ("Confidential Information" is the term used in the NDLA) among
> Members via means other than the mailing list?

The proposal describes two communication channels for the discussion of
vulnerability fixes: The vuln-dev list and the JDK bug system (JBS) [2].
It does not explicitly limit the sharing of fixes to those two channels.
The adoption of some other channel would have to be consistent with the
proposal, agreed to by the Group, and subject to the NDLA.

>                                                 Second, more specifically,
> would a repository shared exclusively among Members be an acceptable means
> of sharing vulnerability fixes?

It might, if it could be made sufficiently secure, but I share Andrew's
concern, expressed nearby -- a single repository containing all current
and historical vulnerability information could itself present security
risks, and would require careful thought.

> If the answer to either of the above is yes, it would be helpful to amend
> the NDLA to make that clear.

The NDLA has been available in draft form since last August.  If you
think that a change is needed at this late date then we can certainly
discuss it, but it would further delay the formation of the Group.

- Mark


[1] http://cr.openjdk.java.net/~mr/ojvg/
[2] http://cr.openjdk.java.net/~mr/ojvg/#communication-channels

More information about the discuss mailing list