* Bruce Momjian (bruce@momjian.us) wrote:
> These are all good points. The vulnerability that got Heroku early
> access was a network port vulnerability. A different type of
> vulnerability might _not_ have gotten them early access, and might have
> gotten someone else early access. This port vulnerability was of a
> severity that historically we only see every five years, so it is hard
> to come up with a policy that might not be exercised for another five
> years.
I'm not a fan of building some massive table of who has what exposures
that we need to go and consult every time we have a security fix.
There's either "ok, certain people should know about this ahead of time"
and "this is small-potatoes and doesn't really need early notice", which
mainly boils down into unauthenticated vs. authenticated
vulnerabilities, imv.
I do agree, however, that each security issue needs to be considered
independently on a case-by-case basis.
Thanks,
Stephen
