[NCUC-DISCUSS] Suggested Comment: Draft Framework for Registry Operators to Respond to Security Threats

thomascovenant thomascovenant at thomascovenant.org
Mon Jul 31 00:24:55 CEST 2017


Hello,

the comment proposal is underneath, what are your thoughts?

https://docs.google.com/document/d/1TfgHuMqzD660_CHLQMXMW4phnBtLSP94j6X5riY2Ko4/edit

Note from Security Framework Drafting Team wiki workspace:

- Is Public Comment required for the draft Framework?
- This is not a policy implementation nor a contractual requirements document; therefore, a public comment proceeding would not be required. However, SFDT has decided to conduct a public comment for broader community feedback prior to finalization of the Framework.

Main points:

- Framework should be expanded
- Several minor details are to be clarified, restructuring proposal
- as a small step in response to proposed detailed report examination, I suggest we include a recommendation on Responsible Threat Disclosure.

Finally, I quote Point 3 from the Comment:

"Since the following examination of threat report is identified in the Framework, we strongly suggest including a recommendation on Responsible Threat Disclosure to be included in the document:

'Each RO should scrutinize, question or otherwise inquire about the legitimacy of the origin
of a request, in accordance with their own internal policies and processes.'

We have seen a broad variation in handling security threat reports, varying from constructive actions addressing the issues to punishment of the reporting party. Benefits of responsible threat submission are obvious.

In this context, it is important to underline benefits and importance of responsible threat disclosure. We request recommendation to extend goodwill and not cause harm to the reporting party whenever possible:

When applicable, RO should provide:

- an easy way to report security threats and violation
- encrypted ways of communication
- option of anonymous submission"

Other:

- This is my first comment drafted with input from Juan Manuel Rojas (thank you for commenting). Access to shared document and request for review was given to those who expressed interest in working on it. All input from the list is very welcome. Please let me know what needs to be corrected and I will promptly do it.
- Comment is a bit late, I will request an extra week to discuss the proposal with my humble excuses.

BR,
Dina Solveig Jalkanen
-- 
* * *
Friendly geek in Amsterdam, FSFE Fellow
https://wiki.techinc.nl/index.php/User:Thomascovenant




More information about the Ncuc-discuss mailing list