list of security issues is outdated
fippo opened this issue ยท 8 comments
... but they're all fixed?
So if I integrate webrtc.org into my product and want to know which problems were there and which affect my products, then I do what?
Or to put a different perspective on it: since the project zero bugs (most of the time) only get disclosed once they are fixed upstream the page will never list any open issues (which might be questionable any how). Wouldn't then be more honest to simply remove that page, instead of creating the illusion that webrtc.org is the safest project ever?
I think removing this would be a good idea, as integrators might mistake that for a page they can monitor to be notified of security patched they need to apply.
Fixed in: #229
No longer outdated indeed. I still think that it should not be that much effort to provide better guidance to users but seeing how long it took you to get this merged... :-|
Security advisories are definitely lacking for external partners so I totally agree with you on #195
I think we need to consider having a mailing list that is just for security advisories and automatically picks up and posts the chromium bugs once they are visible. The current timeline of 14 or so weeks is a long time so finding some balance here between meeting the needs of the chromium security policy and our external customers would be great.
Maybe we can move this over to a webrtc bug and continue the discussion there.