As someone from W3C, and because they’re not included in the blog post, some neutral info on the Best Practices are at: https://www.w3.org/2017/01/GVDP-factsheet.html and the best practices themselves https://www.w3.org/TeamSubmission/2017/SUBM-sdbp-20170302/
The Best Practices are currently a W3C Team Submission and at this stage they are voluntary. However, they could become mandatory for all specs at W3C if members (including EFF via Cory, acting as their Advisory Committee Representative) advocate and get consensus on any changes needed to better help support researchers in security, privacy and accessibility.
If the Best Practices are ignored or misrepresented, they WILL only ever be voluntary and unhelpful. If no one signs up to make them better, without member support, they will never make get to the Recommendation process. EME had members willing to put in hard work over years to make that specification happen - through all the different stages of approval. For this proposal to protect Security Researchers to truly help, we need experts and member advocates to make them better, to point out what’s needed and to do the hard work of signing up to support and promote them though the W3C process where they could become binding on not just one but all W3C specs (like the Patent Policy).
However, as of today, even though people have said that that the suggested Best Practices are insufficient, there has been no action at all in the official W3C channels — where the effort could make the most impact — to answer questionnaires, sign up, comment, get others to agree or offer corrections to make them better.
W3C are asking its members and experts to do the work to help researchers by taking an idea and making it better and our AC reps to use using our process to get it through the recommendations track.
