From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <linux-kernel-owner+willy=40w.ods.org-S261484AbVAMV4H@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S261484AbVAMV4H (ORCPT <rfc822;willy@w.ods.org>);
	Thu, 13 Jan 2005 16:56:07 -0500
Received: (majordomo@vger.kernel.org) by vger.kernel.org id S261748AbVAMVt5
	(ORCPT <rfc822;linux-kernel-outgoing>);
	Thu, 13 Jan 2005 16:49:57 -0500
Received: from mail.enyo.de ([212.9.189.167]:25760 "EHLO mail.enyo.de")
	by vger.kernel.org with ESMTP id S261731AbVAMVni (ORCPT
	<rfc822;linux-kernel@vger.kernel.org>);
	Thu, 13 Jan 2005 16:43:38 -0500
From: Florian Weimer <fw@deneb.enyo.de>
To: Chris Wright <chrisw@osdl.org>
Cc: linux-kernel@vger.kernel.org
Subject: Re: security contact draft
References: <20050113125503.C469@build.pdx.osdl.net>
Date: Thu, 13 Jan 2005 22:43:29 +0100
In-Reply-To: <20050113125503.C469@build.pdx.osdl.net> (Chris Wright's message
	of "Thu, 13 Jan 2005 12:55:03 -0800")
Message-ID: <87mzvd9f9a.fsf@deneb.enyo.de>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Sender: linux-kernel-owner@vger.kernel.org
X-Mailing-List: linux-kernel@vger.kernel.org

* Chris Wright:

> To keep the conversation concrete, here's a pretty rough stab at
> documenting the policy.

Looks fine.  Maybe you can add the following section?

  3) Non-disclosure agreements

  The Linux kernel security contact is not a formal body and therefore
  unable to enter any non-disclosure agreements.

UNIRAS and probably others require NDAs from affected software vendors
before they share vulnerability information.  It makes things easier
if you state upfront that you won't play such games.