[184191] in North American Network Operators' Group
Re: Security release scheduling
daemon@ATHENA.MIT.EDU (Barry Greene)
Tue Sep 29 03:39:51 2015
X-Original-To: nanog@nanog.org
From: Barry Greene <bgreene@senki.org>
In-Reply-To: <560A13E6.7060509@nwtime.org>
Date: Tue, 29 Sep 2015 15:39:57 +0800
To: Harlan Stenn <stenn@nwtime.org>
Cc: NANOG list <nanog@nanog.org>
Errors-To: nanog-bounces@nanog.org
>=20
> Hi Harlan,
The general principle is look out for the major network lock downs. Some tim=
es that is overlap with holidays. Other times it is over financial close mon=
ths.
My personal $.02 is to avoid major vulnerability disclosures in December, du=
ring Lunar New Year weeks, during Ramadan, and June. Some would also include=
August (Euro holidays).
But these days there are timers given by the vulnerability finder (or CERT T=
eam) and conference disclosures (security rock stars) that drive the disclos=
ure to a time which is not optimal to the people who have to roll out the re=
mediation.=20
In essence, write a disclose policy, put it on your website, and be open for=
improvements based on input from your constituents. Do your best. That is a=
ll your can do.
Barry
PS - Let me know if you need help writing the disclosure policy.=20
