nanog mailing list archives
Re: Security release scheduling
From: Barry Greene <bgreene () senki org>
Date: Tue, 29 Sep 2015 15:39:57 +0800
Hi Harlan,
The general principle is look out for the major network lock downs. Some times that is overlap with holidays. Other times it is over financial close months. My personal $.02 is to avoid major vulnerability disclosures in December, during Lunar New Year weeks, during Ramadan, and June. Some would also include August (Euro holidays). But these days there are timers given by the vulnerability finder (or CERT Team) and conference disclosures (security rock stars) that drive the disclosure to a time which is not optimal to the people who have to roll out the remediation. In essence, write a disclose policy, put it on your website, and be open for improvements based on input from your constituents. Do your best. That is all your can do. Barry PS - Let me know if you need help writing the disclosure policy.
Current thread:
- Security release scheduling Harlan Stenn (Sep 28)
- Re: Security release scheduling Mark Andrews (Sep 28)
- Re: Security release scheduling Harlan Stenn (Sep 29)
- Re: Security release scheduling Barry Greene (Sep 29)
- Re: Security release scheduling Harlan Stenn (Sep 29)
- Re: Security release scheduling Barry Greene (Sep 29)
- Re: Security release scheduling Harlan Stenn (Sep 29)
- Re: Security release scheduling Mark Andrews (Sep 28)