[liberationtech] Can you confirm these are not best practices for handling disclosure?

[Zak Rogoff]

Hi liberationtech,

The W3C, which sets Web standards, just released this

https://www.w3.org/2017/01/GVDP-factsheet.html

in an attempt to pacify all of us who are complaining that their plan to
make DRM part of Web standards would be bad for security researchers.
It's a draft of "best practices" for companies to follow when security
researchers disclose vulns to them.

Is anyone who's knowledgeable about disclosure policies able to take a
look at it and share your thoughts?

To me, it looks like it's not much of a protection for the researchers,
because it's totally voluntary and apparently allows companies to ignore
it if they make such arbitrary judgements as that the security
researcher didn't give them a "reasonable" amount of time between
private and public disclosure.

I think we can take Netflix's policy (linked from the W3C page) to be
pretty representative of the policies these guidelines will produce. How
does it compare to typical companies' policies? Are there really good
policies that it would be better for the W3C to model their guidelines on?

-- 
Zak Rogoff // Campaigns Manager
Free Software Foundation