Marc A. Pelletier wrote:
On 06/26/2014 10:15 AM, David Gerard wrote:
NDAs for security bug access are pretty much
standard, aren't they?
I don't know about "standard" but they are certainly common in cases
where said software has a large installed base and early disclosure of a
vulnerability would place them at risk without being able to protect
themselves. It's not about avoidance of being "transparent" but to give
a bit of protection to third parties - note how fixed security issues
are moved from security back to their "real" components when being closed.
If you know of any non-disclosure agreements for large, open-source
projects, it'd be interesting and helpful to collect a list of links to
them for reference. If they're standard/common, it shouldn't be too
difficult to find a lot of examples to look over and learn from.
A very brief search turned up
<https://wiki.mozilla.org/Legal/Confidential_Information>, which outlines
some of the issues that Wikimedia similarly faces with respect to
non-disclosure agreements and volunteers.
Jeremy Baron wrote:
Err, thanks for the link. As pointed out, that page is less than a week
old and had not been advertised or linked from anywhere, as far as I can
tell. I don't think there's a reasonable expectation that anybody would
have known about it. I'm also not sure any volunteer is following that
page... i.e., I'm not sure it's active or authoritative (yet?).
P.S. Who's Max?