“That we remove “We strongly believe that the right to advance patches/info
should not be based in any way on paid membership to some forum. You can not
pay us to get security patches in advance.” from the security policy and Mark
posts a blog entry to explain the change including that we have no
current such service.”
At the OpenSSL Management Committee meeting earlier this month we passed the vote above to remove a section our security policy. Part of that vote
was that I would write this blog post to explain why we made this change.
At each face to face meeting we aim to ensure that our policies still match the
view of the current membership committee at that time, and will vote to change
those that don’t.
Prior to 2018 our Security Policy used to contain a lot of background
information on why we selected the policy we did, justifying it and adding lots
of explanatory detail. We included details of things we’d tried before and
things that worked and didn’t work to arrive at our conclusion. At our face to face meeting in London at the end of
2017 we decided to remove a lot of the background information and stick to
explaining the policy simply and concisely. I split out
what were the guiding principles from the policy into their own list.
OpenSSL has some full-time fellows who are paid from various revenue sources
coming into OpenSSL including sponsorship and support contracts. We’ve
discussed having the option in the future to allow us to share patches for
security issues in advance to these support contract customers. We already
share serious issues a little in advance with some OS vendors (and this is
still a principle in the policy to do so), and this policy has helped ensure
that the patches and advisory get an extra level of testing before being
Thankfully there are relatively few serious issues in OpenSSL these days; the last worse
than Moderate severity
being in February 2017.
In the vote text we wrote that we have “no current such service” and neither do
we have any plan right now to create such a service. But we allow ourselves to
consider such a possibility in the future now that this principle, which no longer
represents the view of the OMC, is removed.