Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Wed, 4 Jun 2014 08:03:40 -0400
From: Lisa Bradley <lbradley@...ibm.com>
To: oss-security@...ts.openwall.com
Subject: Re: Operating system distribution security contact lists


Hi

Thanks for the wiki suggestion I will look into it. As for my LinkedIn, it
is extremely out of date, guess you just helped encourage me to move that
up on my priority list :o)

~Lisa

Lisa Marie Wood Bradley, PhD
Product Security Incident Response Team (PSIRT), SWG Master Inventor
lbradley<at> us <dot> ibm <dot> com


From:	Solar Designer <solar@...nwall.com>
To:	oss-security@...ts.openwall.com,
Date:	06/04/2014 02:55 AM
Subject:	Re: [oss-security] Operating system distribution security
            contact lists



Hi Lisa,

On Tue, Jun 03, 2014 at 09:13:41AM -0600, Lisa Bradley wrote:
> I would like to request membership to the closed "Operating system
> distribution security contact lists" mailing list on behalf of the IBM
> Product Security Incident Response Team (PSIRT). I am part of the PSIRT
> team where I help manage the receipt, investigation and internal
> coordination of security vulnerability information related to IBM
> offerings. You can read more about PSIRT here:
> http://www-03.ibm.com/security/secure-engineering/process.html.  I am the
> main coordinator of Open Source vulnerabilities that affect IBM products.
> We have products that utilize Open Source software, so being part of this
> list will be beneficial. I do not plan on posting any IBM product
specific
> issues as we do that through Security Bulletins (see
> http://www-03.ibm.com/security/secure-engineering/bulletins.html).
>
> You can verify that I am part of the PSIRT team by emailing PSIRT
directly
> at IBM PSIRT<slash>Somers<slash>IBM or psirt<at>us<dot>ibm<dot>com.

Thank you for bringing this to oss-security.  Besides the above, if this
community says that IBM should be on the distros list, we'll need
someone already active on oss-security to vouch for you - or I think it
could be Troy Bollinger, who was active on Bugtraq.  Per LinkedIn, he
left IBM when you were already at IBM (for some years), so possibly he
could vouch for you?  Your LinkedIn profile, if I found the right one,
does not mention security, though, so I don't know if you were in
contact with Troy back then or not.

Would it be reasonable to include IBM security advisory/contact details
on our wiki?

http://oss-security.openwall.org/wiki/vendors

If there are specific OSS products with their own advisory/contact
details (different from IBM PSIRT's catch-all), they may be added to:

http://oss-security.openwall.org/wiki/software

(Yes, this is the same suggestion I just made to VMware.)

Anyone can register for an account and edit the wiki, so please do if
you find this desirable.

What do others in this community think?  To remind, on vendor-sec we had
representatives from Apple and SGI.  We "lost" them when, after
vendor-sec ceased to exist, I setup only a linux-distros list initially.
At a later time, we also got the distros list, to which Apple and SGI
would probably be welcome again - but that issue was not brought up
again at that time.

Both the Apple folks and the vendor-sec member from SGI were helpful to
the rest of the community on vendor-sec, so it was not one-way
communication.  IIRC, Red Hat folks actually said that I was wrong in
limiting the initial membership to Linux distros only, leaving Apple out
despite of their valuable contributions to vendor-sec and them having
some Open Source products (they're upstream for CUPS, etc.)  Perhaps we
should have explicitly invited Apple and SGI folks to join distros when
that list was finally setup.  Perhaps it's not too late to do that now.

I'd appreciate comments from the community.  I have no strong feelings
for, nor against, expanding the distros list membership to include
(mostly/partially) closed-source vendors.

As yet another option, if the community wants that, I may setup an
open-distros list that would include Linux and Open Source *BSDs
(initially just the current members of distros), but not the
(mostly/partially) closed-source vendors (who would be on distros only).
That way, any folks who are possibly uncomfortable about notifying
closed-source vendors would have the option to still use our PGP
re-encrypting setup to notify just the Open Source distro vendors.
Or maybe I am imagining that a significant number of people reporting
vulnerabilities would be uncomfortable providing advance notification to
closed-source vendors?

Alexander


Content of type "text/html" skipped

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.