OpenSSL warns vendors against using vulnerability info for marketing
Security advisories for OpenSSL should not be used for competitive advantage, according to the development project behind the widely used cryptography component.
The warning comes from the OpenSSL Project, which has published for the first time guidelines for how it internally handles security problems, part of an ongoing effort to strengthen the project following the Heartbleed security scare in April.
High severity issues such as remote code execution vulnerabilities will be kept private within OpenSSL’s development team, ideally for no longer than a month until a new release is ready. If an update is planned, a notification will be released on the openssl-announce email list, but “no further information about the issues will be given,” it said.