- Edited
At least for now, Orion is dependent upon key software such as the WebKit browser engine. On desktop, Orion currently distributes the version of WebKit it uses with the browser download/update itself. This necessarily means that there could be a delay between a critical security vulnerability getting fixed in WebKit by Apple and a new release of Orion that addresses it.
My proposal is that Orion publishes a Service Level Agreement (SLA) in the FAQ that states the maximum amount of time that should pass between a critical security fix getting released and Orion issuing a new version that includes it.
Example:
Q: "How promptly does Orion address security updates for critical vulnerabilities?"
A: "Although we hope to respond even more quickly, critical vulnerabilities in Orion and its components (e.g., the WebKit browser engine) are actively monitored and resulting upstream updates should be published for Orion users within 24 hours of the update's release."
The time window can be expressed more conservatively or aggressively to suit resources and prioritization, and evolve to have a tighter window or include specific details (e.g., "patches that address vulnerabilities with a CVSS score of 7.0 or higher") if or when it makes sense.
Privacy concerns and security concerns go hand in hand, and Orion takes very strong positions on privacy. On security, it could provide key assurance for potentially paying customers of a niche browser to know what the longest-possible window of exposure might be for a known-addressed vulnerability. Web browsers are one of the largest attack surfaces in personal computing, and issues with them can risk up to anything that could be risked by the computer itself: finances, identity, etc.