Valdis(_dot_)Kletnieks(_at_)vt(_dot_)edu writes:
The general consensus as I read it was that the christey-wysopal draft was
generally considered a very good and reasonable document.
There was quite a bit rejection, and some very profound criticism (the
killer argument, IMHO, is that a large part of the industry does not
accept _any_ disclosure at all).
However, this is now a strawman. The document has clearly been
overtaken by events (if it has ever been up-to-date). For example, it
ignores that currently, those people who are expected to play the role
of Coordinators usually provide paid prepublication access to
vulnerability information. The draft does not require Coordinators to
keep the information they receive strictly confidental, but I'm not
sure if this was the intent of the authors or just an oversight.
(I'm sorry for the long Cc: list; I'm not sure if it is appropriate.
Please complain if you don't want to receive further messages.)