Marc A. Pelletier wrote:
On 06/26/2014 10:15 AM, David Gerard wrote:
NDAs for security bug access are pretty much standard, aren't they?
I don't know about "standard" but they are certainly common in cases where said software has a large installed base and early disclosure of a vulnerability would place them at risk without being able to protect themselves. It's not about avoidance of being "transparent" but to give a bit of protection to third parties - note how fixed security issues are moved from security back to their "real" components when being closed.
If you know of any non-disclosure agreements for large, open-source projects, it'd be interesting and helpful to collect a list of links to them for reference. If they're standard/common, it shouldn't be too difficult to find a lot of examples to look over and learn from.
A very brief search turned up https://wiki.mozilla.org/Legal/Confidential_Information, which outlines some of the issues that Wikimedia similarly faces with respect to non-disclosure agreements and volunteers.
Jeremy Baron wrote:
Maybe Max is unaware about https://wikitech.wikimedia.org/wiki/Volunteer_NDA
Err, thanks for the link. As pointed out, that page is less than a week old and had not been advertised or linked from anywhere, as far as I can tell. I don't think there's a reasonable expectation that anybody would have known about it. I'm also not sure any volunteer is following that page... i.e., I'm not sure it's active or authoritative (yet?).
MZMcBride
P.S. Who's Max?