| Yubico Forum https://forum.yubico.com/ |
|
| OpenPGP security advisory publication https://forum.yubico.com/viewtopic.php?f=26&t=1862 |
Page 1 of 1 |
| Author: | sbs [ Tue Apr 28, 2015 11:36 pm ] |
| Post subject: | OpenPGP security advisory publication |
Hi David et al, The security advisory was published on 2015-04-14, yet it wasn't announced on twitter and on this forum until 2015-04-24, and the company blog post didn't go out until 2015-04-27. Why was there a delay in letting customers know (the advisory was already published but was buried with the releases)? And for future is there a dedicated channel/mailing-list where security announcements will be posted? |
|
| Author: | JFontana [ Thu Apr 30, 2015 3:09 am ] |
| Post subject: | Re: OpenPGP security advisory publication |
We take seriously our responsibilities that range from notification to remediation when dealing with issues around product. After our initial advisory on the YubiKey NEO, we considered feedback and adjusted our original remediation guidance. From there our required disclosure steps included due diligence, crafting a replacement plan, ensuring we had stock for fulfillment, and logistical management of that rollout. Timing was influenced by the fact we have a physical device that was needed in quantity and required shipping. That resulted in a gap between the advisory and the Twitter and Forum posts. The blog post was a repeat of the Forum post, just in another channel. In addition, we have added a section to our forum called “Security Advisories” and will roll out a new notification service. |
|
| Page 1 of 1 | All times are UTC + 1 hour |
| Powered by phpBB® Forum Software © phpBB Group https://www.phpbb.com/ |
|