[Ksummit-discuss] [MAINTAINERS SUMMIT] Handling of embargoed security issues

Thomas Gleixner tglx at linutronix.de
Mon Sep 10 09:25:49 UTC 2018 

On Sun, 9 Sep 2018, Theodore Y. Ts'o wrote:
> On Sun, Sep 09, 2018 at 11:17:20AM -0700, Andy Lutomirski wrote:
> > 
> > What I want is the opposite of an NDA. I want a gentlemen’s
> > agreement plus an explicit statement that the relevant people *may*
> > talk about the issue among themselves despite any NDAs that might
> > already exist. And that they may release patches when the embargo is
> > up. And that the embargo has an end date, and that the developers
> > may decline an extension.
> 
> So what you're talking about is some kind of "Memo of Understanding"
> that has no talk about "if this leaks it will Intel will suffer
> millons and billons and zillons of dollars and Intel well sue you
> until your assets are a smoking crater in the ground"?
> 
> If there are no consequences to violating the Gentleman's agreement
> (other than not being included the next time *when* another CPU
> vulnerability comes up), then nothing really needs to be signed, since
> it has no legal impact.

Looking at SSBD/L1TF only and ignoring the Meltdown/Spectre disaster (which
was completely FUBARed by Intel), having something like this in place could
have certainly solved the main gap which we had. We were able to
communicate freely between the informed parties and their allowed to know
kernel developers, even accross vendors. But there was no simple way to
bring in anybody else. It tooks us almost 2 months to get GregKH on board,
but there was no way to talk to e.g. the BPF folks in time.

I think this needs to have some formal setup. The way disclosure to
companies work is through coordinators, who then disclose it internaly to
the relevant people.

We should provide something similar, i.e. an embargo coordination group,
which coordinates the issue with the disclosing party. And yes, this only
can be based on a general Memo of Understanding, as there is no way to make
that whole NDA mess work when the group needs to bring in individual
developers.

Having something formal and halfways familiar in place is definitely
something we need before we are starting to communicate and negotiate that
through all channels.

What I came up with so far is:

 - work out a Memo of Understanding
   
 - appoint an initial group of embargo coordinators, ideally people who
   have already an established trust relationship in the industry.

 - come up with a clear and well defined set of rules what this embargo
   group is doing and what not.

   It's sole purpose is to handle and coordinate the kind of embargo
   issues, which have a long preparation time, need coordination with other
   OSes etc, i.e. the Meltdown/Spectre/L1TF scenarios.

   It won't deal with NDAs and has to be free to disclose to individual
   developers based on trust under the MOU.

Creating this kind of formal entity is probably the closest thing to the
established inter corporate embargo handling which we can provide.

Thanks,

	tglx

More information about the Ksummit-discuss mailing list