Security release scheduling

Harlan Stenn stenn at nwtime.org
Tue Sep 29 07:57:19 UTC 2015


Good info, Barry - thanks!

I appreciate your offer, too!

H
--

On 9/29/15 12:39 AM, Barry Greene wrote:
>>
>> Hi Harlan,
> 
> The general principle is look out for the major network lock downs. Some times that is overlap with holidays. Other times it is over financial close months.
> 
> My personal $.02 is to avoid major vulnerability disclosures in December, during Lunar New Year weeks, during Ramadan, and June. Some would also include August (Euro holidays).
> 
> But these days there are timers given by the vulnerability finder (or CERT Team) and conference disclosures (security rock stars) that drive the disclosure to a time which is not optimal to the people who have to roll out the remediation. 
> 
> In essence, write a disclose policy, put it on your website, and be open for improvements based on input from your constituents. Do your best. That is all your can do.
> 
> Barry
> 
> PS - Let me know if you need help writing the disclosure policy. 
> 
> 
> 

-- 
Harlan Stenn <stenn at nwtime.org>
http://networktimefoundation.org - be a member!




More information about the NANOG mailing list