[184192] in North American Network Operators' Group
Re: Security release scheduling
daemon@ATHENA.MIT.EDU (Harlan Stenn)
Tue Sep 29 03:57:25 2015
X-Original-To: nanog@nanog.org
To: Barry Greene <bgreene@senki.org>
From: Harlan Stenn <stenn@nwtime.org>
Date: Tue, 29 Sep 2015 00:57:19 -0700
In-Reply-To: <157CF300-F751-4798-A82A-88B69C5CE15C@senki.org>
Cc: NANOG list <nanog@nanog.org>
Errors-To: nanog-bounces@nanog.org
Good info, Barry - thanks!
I appreciate your offer, too!
H
--
On 9/29/15 12:39 AM, Barry Greene wrote:
>>
>> Hi Harlan,
>
> The general principle is look out for the major network lock downs. Some times that is overlap with holidays. Other times it is over financial close months.
>
> My personal $.02 is to avoid major vulnerability disclosures in December, during Lunar New Year weeks, during Ramadan, and June. Some would also include August (Euro holidays).
>
> But these days there are timers given by the vulnerability finder (or CERT Team) and conference disclosures (security rock stars) that drive the disclosure to a time which is not optimal to the people who have to roll out the remediation.
>
> In essence, write a disclose policy, put it on your website, and be open for improvements based on input from your constituents. Do your best. That is all your can do.
>
> Barry
>
> PS - Let me know if you need help writing the disclosure policy.
>
>
>
--
Harlan Stenn <stenn@nwtime.org>
http://networktimefoundation.org - be a member!
